> I've never heard of anyone with a solid background in crypto who
> thinks that any form of Trusted Computing has any redeeming value
> whatsoever (unless said person is in it for the money or the power).
> For me, this is major food for thought.
>
> Worth reading: http://rpow.net/security.html
>
>
> Eric
>
I think the problem is that the words "trusted computing" have been used
both to describe some really exciting and useful cryoptographic
techniques, and some scary monopoly/control techniques tied to business
practices.
I think explanations of the phrase "trusted computing" have been given
that are either based in ignorance or are intentional lies. (I have
archived some of the worst ones for reference.) However, AFAIK, the
core of TC has always been understood to consist of
1. Remote Attestation
2. Secure key storage (i.e. key storage that treacherously refuses to
let the user have access to their own cryptographic keys).
Especially at the start of the trusted computing wave when no-one really
knew what the words meant, I heard a lot of pretty cool stuff discussed by
people with solid backgrounds in crypto and called "trusted computing".
I would be interested in hearing about some of this cool stuff. I was
genuinely surprised to see someone who understood Trusted Computing
(as defined by the Trusted Computing Group) advocating its use.
Given that we want computers with network access AND privacy, we're going
to have to have consumer adoptable cryptography.
I don't think consumer adoptable cryptography means Trusted Computing.
Trusted Computing, by placing control of all PCs into the hands on one
organization, means denying consumers (citizens!) the benefits of
privacy and authentication that could be gained from encryption and
digital signatures.
Given that we want to
solve SPAM we're going to have to integrate cryptographic handshaking into
email.
Only accepting cryptographically signed mail would cut down a lot on
spam, both because of the CPU requirements and the authentication
aspect, but this does not require Trusted Computing. We have the tools
now. The problems are a lack of willingness to change on the part of
computer users and the poor quality of the software available.
The cryptographic tools are some of the same ones as those used
for DRM, copy protection, automatic software updates (which themselves are
a mixed blessing), etc.
DRM and copy protection are not applications of cryptography. When you
turn over the decryption key and the encrypted secret data to the
enemy (i.e. the consumer), you might as well just give them the secret
data directly. DRM and copy protection are examples of obfuscation.
Sometimes the lines get kind of blurry, as when bluefrog set up a botnet
disguised as an anti-spam service and went head to head with the
underground spam botnets (and lost, it turns out):
That was a good read! Thanks for the link,
Eric
|