On Thu, 15 Aug 2002, Lucky Green wrote:
Hopefully some of those people will not limit themselves to hypothetical attacks against The Spec, but will actually test those supposed attacks on shipping TPMs. Which are readily available in high-end IBM laptops.
But doesn't the owner of the box create the master key for it? They imply that in their advertising, but I've not seen anything else about it. It was advertised to be protection for corporate data, not a DRM/control type thing. It would be very interesting to know the details on that. I found this: http://www.pc.ibm.com/ww/resources/security/securitychip.html but the link to "IBM Embedded Security Subsystem" goes to "page not found". but this one: http://www.pc.ibm.com/ww/resources/security/secdownload.html says in part: "IBM Client Security Software is available via download from the Internet to support IBM NetVista and ThinkPad models equipped with the Embedded Security Subsystem and the new TCPA-compliant Embedded Security Subsystem 2.0. By downloading the software after the systems have been shipped, the customer can be assured that no unauthorized parties have knowledge of the keys and pass phrases designated by the customer." So it looks like IBM is ahead of Microsoft on this one. but if TCPA isn't fully formalized, what does "TCPA-compliant" mean? In any case, they imply here that the customer needs to contact IBM to turn the thing on, so it does seem that IBM has some kind of master key for the portable. I wonder if they mean IBM is authorized to know the customer's keys? Patience, persistence, truth, Dr. mike