[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Restricted storage

From: Michal Suchanek
Subject: Re: Restricted storage
Date: Tue, 6 Jun 2006 17:29:02 +0200

On 6/1/06, Jonathan S. Shapiro <address@hidden> wrote:
On Thu, 2006-06-01 at 22:26 +0200, Michal Suchanek wrote:

In my experience, the set of fully reliably administrators is a set of
size zero. The set of network-disconnected machines is a much larger
set, but I don't think we would be satisfied with a "safe only when
disconnected" design. Redmond has already produced one of those.

So in the design space of interest, we must assume "network connected",
and *I* assume that the Administrator is human and fallible. The
question now is: what can we assume about the administrative tools?

In the absence of TC, the answer in the *general* case is "nothing".
Therefore, we must conservatively assume that the entire machine is
compromised in the absence of direct knowledge of the Administrator.

Under these conditions, we would necessarily conclude the following
about our two options:

        TC+OS <<<< OS+Administrator

> And I personally do not find much confidence in the TC. It turned out
> that CAs for SSL aren't very trustworthy, and I do not see any
> principial difference between the CA scheme and the TC scheme.

This depends greatly on the CA, and the CA process for TC chips has been
much more carefully handled than the one for SSL.

> I would say that in the other case the TC is the weak link....

What empirical evidence can you offfer to support this assumption? It
seems very unlikely on many grounds.

In the end, the TC keys are still managed by an administrator. The set
of reliable administrators is zero (you said that :).

Even if you verify some chips, there is no guarantee that they will not
- start producing a new revision
- give away keys to sign something else than the chips

Plus there is the problem of signing all those chips. How whould an US
chip maufacturer manage that? Will they have the chips signed in
Taiwan and China, or will they first get all the zillions of chips
transported to the US and sign them there?

How much do you trust a chip signed in China?

Now in case of TC it either works for everybody or it fails for
everybody (or at least a substantial part of the world). But I find
the situation where things fail locally better than the one where
there are only large catastrophic failures.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]