An attack on paypal --> secure UI for browsers

[Anonymous via the Cypherpunks Tonga Remailer]

David Wagner wrote:
> But take a look at one line you quoted from the FAQ:
> 
>     "Only one nexus at a time will be able to run on a machine."
> 
> That looks to me like an important sentence.

The Nexus is like a mini-OS for the trusted side of the machine.  It acts
as a kernel to manage the "trusted applications", the Nexus Computing
Agents or NCAs.

So what this sentence is really saying is that only one (trusted) OS
will be able to run at a time on a machine.  That's not that surprising
or significant.  Most machines only run one OS at a time.  Sure, with
virtualization and similar techniques you can manage to run more than
one OS at once, but that's unusual.  Probably 99.9% of machines are only
running one OS at a time.

Virtualization is not an option with trusted computing because part of
the point is to be able to offer assurance to remote users about what
the machine will do (i.e. its behavior is predictable, hence trusted).
This implies that it only makes sense to run one trusted OS at a time.
That's probably all the "important" sentence above means.


Adam Lydick wrote:

> That is certainly a good point but don't confuse the "nexus" with NCAs
> (agents). I think the nexus just provides services to the NCAs which
> actually do the work. Think of it as a core library that services can
> draw on.

Right, plus it schedules, loads them, etc, like an OS kernel.  Here is
a simplified form of a diagram they use.  The left hand side is the
legacy mode, with normal Windows applications and OS.  The right hand
side is the new trusted mode, with NCAs as the applications and Nexus
as the OS.

       Normal Mode                  Trusted Mode
+---------------------------++------------------------+
|                           ||                        |
|       Applications        ||        NCAs            |  USER
|                           ||                        |
|---------------------------++------------------------|
|                           ||                        |
|     Main Windows OS       ||       Nexus            |  KERNEL
|                           ||                        |
+---------------------------++------------------------+


> So having to trust the nexus, is rather like trusting kernel32.dll or
> some other core components. Choosing to trust/run NCA sounds pretty
> grainular, so you can trust your validated P2P stack from your favorite
> independent developer and ignore (if you can) the restrictive DRM
> solutions that are offered.

Yes, it sounds like it will work exactly like that.  Plus, hopefully
it will be possible for Linux to create its own Nexus ("Linexus"?) that
uses the same hardware features to provide TC capabilities for that OS.
Recall that Linus Torvalds recently adopted the position that DRM was
an acceptable technology for Linux, even when it involved being built
into the kernel.  Since DRM is the main downside to TC for many people,
and TC has many more good aspects beyond DRM, it is a near certainty
that Linux will add support for Trusted Computing.

> Problems certainly remain though:
>
> In the validated P2P scenario, an Adversary with enough influence to
> have Intel/AMD/... hand out a signed internal key can circumvent any
> such "protections".

Right, he could watch all the Disney movies he wanted, without paying
for them!  Mwaa haa haa!  Foolish humans!

But seriously, these systems can only raise the cost of security.
Neither cypherpunks nor Sony should risk their collective lives that no
one will break Palladium, by hook or by crook.