Re: awareness + flexibility + security

[Jonathan S. Shapiro]

On Mon, 2005-11-14 at 09:32 +0100, Bas Wijnen wrote:
> This is not about things for customers, it's about things for service
> providers.  I know in some cases the line between them is blurry.
> 
> Say I provide a service to people who don't know you, for example web
> hosting.  Assume that you want to use my service for your company, and that
> you want to put some internal secret company data in a protected section of
> your site.  You will want to make sure that unauthorized people cannot access
> that data, and that includes me.  So if I don't prove to you that I am unable
> to access it, you will not do business with me, or at least not put that data
> on it.  Then we both lose....

The service provisioning business is one of the postive uses of TPM
technology that I can see. And this is a great example where the system
administrator is not really trusted.

However, the incentive is a little stronger than you suggest.

If a service provider business emerges, and the open source community
has decided NOT to support attestation in some form, then one of two
things will happen:

  1. Somebody will add it in, or
  2. Customers will be forced to use non-open systems

The competitive issue here is serious.

However, this is also an example where the provider can consent on a
case by case basis. For example, they might say "I will respond to
attestation requests for certain things, but not my music player".

shap