An attack on paypal --> secure UI for browsers

Adam Shostack adam at homeport.org
Sat Jun 14 08:22:01 PDT 2003 

On Sat, Jun 14, 2003 at 11:20:16AM -0000, a Microsoft employee wrote:
| Adam Shostack writes:
| 
| > Actually, most of the features of Nogsuccob are features that I 
| > want, like integrity protected, authenticated boot.  The problem, 
| > bundled with those features, is the ability of the system to attest to 
| > its secure boot.  This can be fixed by not letting the host know if 
| > you've exported its host key or not, which makes it possible to run a 
| > virtualized, trusted copy in your emulation environment. 
| 
| Nothing forces you to tell anyone else that you booted securely.  At most
| someone may offer to give you something in exchange for such a proof,
| but you're not obligated to take them up on it.

Well, sure.  And no one forces me to run Microsoft office, either,
except Microsoft's monoploy.  And when the document format can phone
home to prevent piracy or openoffice from running, no one will be
'obligating' me to pay monopoly rents to Microsoft.

In the same way, no one forces me to have a drivers license.  But its
damned hard living life without one.

| It's not clear what you're getting at about exporting the host key.
| These systems (TCs) are generally designed to make that difficult or
| impossible to accomplish.  The security of the whole system is built on
| that assumption.  If you actually did manage to pull out the host key
| then you could make it attest to any falsehood you wanted, although you
| might get caught eventually.

The security of the system to make attestations is built on that
assumption.  However, there are other values that a TBC can offer,
like secure key storage or trusted boot of a known OS image, that I
might like.

My ability to attest to any falsehood is limited by the statements the
key is expected to sign.  How broad are those?  I thought they were
quite limited.


| Trusted Computing lets people convincingly tell the truth about what
| software they are running.  This is seen as a horrific threat in certain
| circles.  It's easy to see why liars wouldn't like it.  What does an
| honest man have to lose?

Interoperability.
Fair use.
Market Choice.
Archives.
Control over their own computers.
Ability to decide when to patch.
The ability to run purchased software..
... privately.
... when there are bugs in the license code.
... when the license server or the network is unavailable.

That's off the top of my head.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

More information about the cypherpunks-legacy mailing list