dangers of TCPA/palladium

AARG! Anonymous remailer at aarg.net
Mon Aug 12 11:15:10 PDT 2002 

Mike Rosing wrote:

> The difference is fundamental: I can change every bit of flash in my BIOS.
> I can not change *anything* in the TPM.  *I* control my BIOS.  IF, and
> only IF, I can control the TPM will I trust it to extend my trust to
> others.  The purpose of TCPA as spec'ed is to remove my control and
> make the platform "trusted" to one entity.  That entity has the master
> key to the TPM.
> 
> Now, if the spec says I can install my own key into the TPM, then yes,
> it is a very useful tool.  It would be fantastic in all the portables
> that have been stolen from the FBI for example.  Assuming they use a
> password at turn on, and the TPM is used to send data over the net,
> then they'd know where all their units are and know they weren't
> compromised (or how badly compromised anyway).
> 
> But as spec'ed, it is very seriously flawed.

Ben Laurie replied:

> Although the outcome _may_ be like this, your understanding of the TPM 
> is seriously flawed - it doesn't prevent your from running whatever you 
> want, but what it does do is allow a remote machine to confirm what you 
> have chosen to run.

David Wagner commented:

> I don't understand your objection.  It doesn't look to me like Rosing
> said anything incorrect.  Did I miss something?
>
> It doesn't look like he ever claimed that TCPA directly prevents one from
> running what you want to; rather, he claimed that its purpose (or effect)
> is to reduce his control, to the benefit of others.  His claims appear
> to be accurate, according to the best information I've seen.

I don't believe that is an accurate paraphrase of what Mike Rosing said.
He said the purpose (not effect) was to remove (not reduce) his control,
and make the platform trusted to one entity (not "for the benefit of
others").  Unless you want to defend the notion that the purpose of TCPA
is to *remove* user control of his machine, and make it trusted to only
*one other entity* (rather than a general capability for remote trust),
then I think you should accept that what he said was wrong.

And Mike said more than this.  He said that if he could install his own
key into the TPM that would make it a very useful tool.  This is wrong;
it would completely undermine the trust guarantees of TCPA, make it
impossible for remote observers to draw any useful conclusions about the
state of the system, and render the whole thing useless.  He also talked
about how this could be used to make systems "phone home" at boot time.
But TCPA has nothing to do with any such functionality as this.

In contrast, Ben Laurie's characterization of TCPA is 100% factual and
accurate.  Do you at least agree with that much, even if you disagree
with my criticism of Mike Rosing's comments?

More information about the cypherpunks-legacy mailing list