Ross's TCPA paper

Paul Harrison pth-02 at pacbell.net
Sun Jun 23 12:53:42 PDT 2002


on 6/23/02 6:50 AM, R. A. Hettinga at rah at shipwright.com wrote:

>
> --- begin forwarded text
>
>
> Status:  U
> From: "Lucky Green" <shamrock at cypherpunks.to>
> To: <cypherpunks at lne.com>
> Cc: <cryptography at wasabisystems.com>
> Subject: RE: Ross's TCPA paper
> Date: Sat, 22 Jun 2002 23:01:12 -0700
> Sender: owner-cypherpunks at lne.com
>
<Tres Snippage..>
> None of these obstacles are impossible to overcome, but not by Joe
> Computer User, not by even the most talented 16-year old hacker, and not
> even by many folks in the field. Sure, I know some that could overcome
> it, but they may not be willing to do the time for what by then will be
> a crime. Come to think of it, doing so already is a crime.
>
> --Lucky Green
>
> --- end forwarded text
>
The discussion of TCPA has a tendency to avoid serious discussion of what I
feel is the core security issue:  ownership of the platform.  Comments such
as Lucky's:

"TPM will make it near impossible for the owner of that motherboard to
access supervisor mode on the CPU without their knowledge"

obfuscate this.  The Trusted Computing Platform includes the TPM, the
motherboard and the CPU, all wired together with some amount of tamper
resistance.  It is meaningless to speak of different "owners" of different
parts.  The owner of a TCP might be a corporate IT department (for employee
machines), a cable company (for set-top boxen), or an individual.  The
important question is not whether trusted platforms are a good idea, but
who will own them.  Purchasing a TCP without the keys to the TPM is like
buying property without doing a title search.  Of course it is possible to
_rent_ property from a title holder, and in some cases this is desirable.

I would think a TCP _with_ ownership of the TPM would be every paranoid
cypherpunk's wet dream.  A box which would tell you if it had been tampered
with either in hardware or software?  Great.  Someone else's TCP is more
like a rental car:  you want the rental company to be completely responsible
for the safety of the vehicle.  This is the economic achilles heal of using
TCPA for DRM.  Who is going to take financial responsibility for the proper
operation of the platform?  It can work for a set top box, but it won't fly
for a general purpose computer.

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'





More information about the cypherpunks-legacy mailing list