on 6/23/02 6:50 AM, R. A. Hettinga at rah@shipwright.com wrote:

--- begin forwarded text

Status: U From: "Lucky Green" <shamrock@cypherpunks.to> To: <cypherpunks@lne.com> Cc: <cryptography@wasabisystems.com> Subject: RE: Ross's TCPA paper Date: Sat, 22 Jun 2002 23:01:12 -0700 Sender: owner-cypherpunks@lne.com

<Tres Snippage..>

None of these obstacles are impossible to overcome, but not by Joe Computer User, not by even the most talented 16-year old hacker, and not even by many folks in the field. Sure, I know some that could overcome it, but they may not be willing to do the time for what by then will be a crime. Come to think of it, doing so already is a crime.

--Lucky Green

--- end forwarded text

The discussion of TCPA has a tendency to avoid serious discussion of what I feel is the core security issue: ownership of the platform. Comments such as Lucky's: "TPM will make it near impossible for the owner of that motherboard to access supervisor mode on the CPU without their knowledge" obfuscate this. The Trusted Computing Platform includes the TPM, the motherboard and the CPU, all wired together with some amount of tamper resistance. It is meaningless to speak of different "owners" of different parts. The owner of a TCP might be a corporate IT department (for employee machines), a cable company (for set-top boxen), or an individual. The important question is not whether trusted platforms are a good idea, but who will own them. Purchasing a TCP without the keys to the TPM is like buying property without doing a title search. Of course it is possible to _rent_ property from a title holder, and in some cases this is desirable. I would think a TCP _with_ ownership of the TPM would be every paranoid cypherpunk's wet dream. A box which would tell you if it had been tampered with either in hardware or software? Great. Someone else's TCP is more like a rental car: you want the rental company to be completely responsible for the safety of the vehicle. This is the economic achilles heal of using TCPA for DRM. Who is going to take financial responsibility for the proper operation of the platform? It can work for a set top box, but it won't fly for a general purpose computer. --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'