[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Restricted storage
|
From: |
Jonathan S. Shapiro |
|
Subject: |
Re: Restricted storage |
|
Date: |
Thu, 01 Jun 2006 16:51:45 -0400 |
On Thu, 2006-06-01 at 22:26 +0200, Michal Suchanek wrote:
> > Easy: In one case, they *only* need to rely on the OS+TC builders. In
> > the other case, they need to rely on OS+TC+Installer. One dependency set
>
> You deliberately enlarge the second group. Only the OS and the
> Installer (machine owner) belong ot the second group.
First, as I clarified in a later note, I got the list above wrong. It
should be:
TC+OS vs. OS+Installer+Admnistrator
You tend to assume that Installer == Administrator == Owner, and this is
fine as a simplifying assumption, but note that this often is not true
in practice. I am going to assume that the person who did the install
was smart enough to run the CD install process correctly, which will let
me focus on the "Administrator".
If we know the Administrator, and we believe that they engage in fully
reliable administration, OR we believe that the machine is fully
disconnected (no network, no new software installs), OR we believe that
the administrator is somehow restricted to acting through "safe"
administrative tools, then you may be correct that
OS+Administrator < TC+OS
In my experience, the set of fully reliably administrators is a set of
size zero. The set of network-disconnected machines is a much larger
set, but I don't think we would be satisfied with a "safe only when
disconnected" design. Redmond has already produced one of those.
So in the design space of interest, we must assume "network connected",
and *I* assume that the Administrator is human and fallible. The
question now is: what can we assume about the administrative tools?
In the absence of TC, the answer in the *general* case is "nothing".
Therefore, we must conservatively assume that the entire machine is
compromised in the absence of direct knowledge of the Administrator.
Under these conditions, we would necessarily conclude the following
about our two options:
TC+OS <<<< OS+Administrator
> And I personally do not find much confidence in the TC. It turned out
> that CAs for SSL aren't very trustworthy, and I do not see any
> principial difference between the CA scheme and the TC scheme.
This depends greatly on the CA, and the CA process for TC chips has been
much more carefully handled than the one for SSL.
> I would say that in the other case the TC is the weak link....
What empirical evidence can you offfer to support this assumption? It
seems very unlikely on many grounds.
shap
- Re: Restricted storage, (continued)
- Re: Restricted storage, Bas Wijnen, 2006/06/01
- Re: Restricted storage, Jonathan S. Shapiro, 2006/06/01
- Re: Restricted storage, Marcus Brinkmann, 2006/06/01
- Re: Restricted storage, Jonathan S. Shapiro, 2006/06/01
- Re: Restricted storage, Bas Wijnen, 2006/06/01
- Re: Restricted storage, Jonathan S. Shapiro, 2006/06/01
- Re: Restricted storage, Bas Wijnen, 2006/06/01
- Re: Restricted storage, Jonathan S. Shapiro, 2006/06/01
- Re: Restricted storage, Bas Wijnen, 2006/06/02
- Re: Restricted storage, Michal Suchanek, 2006/06/01
- Re: Restricted storage,
Jonathan S. Shapiro <=
- Re: Restricted storage, Michal Suchanek, 2006/06/06
- Re: Restricted storage, Jonathan S. Shapiro, 2006/06/06
- Re: Restricted storage, Michal Suchanek, 2006/06/07
- Re: Restricted storage, Jonathan S. Shapiro, 2006/06/07
- Re: Restricted storage, Michal Suchanek, 2006/06/08
- Re: Restricted storage, Marcus Brinkmann, 2006/06/01
- Re: Restricted storage, Jonathan S. Shapiro, 2006/06/01
- RE: Restricted storage, Christopher Nelson, 2006/06/05
- Re: Restricted storage, Marcus Brinkmann, 2006/06/05
- RE: Restricted storage, Christopher Nelson, 2006/06/05