example: secure computing kernel needed
David Wagner
daw at taverner.cs.berkeley.edu
Mon Dec 29 21:20:05 EST 2003
Ed Reed wrote:
>There are many business uses for such things, like checking to see
>if locked down kiosk computers have been modified (either hardware
>or software),
I'm a bit puzzled why you'd settle for detecting changes when you
can prevent them. Any change you can detect, you can also prevent
before it even happens. So the problem statement sounds a little
contrived to me -- but I don't really know anything about kiosks,
so maybe I'm missing something.
In any case, this is an example of an application where owner-directed
remote attestation suffices, so one could support this application
without enabling any of the alleged harms. (See my previous email.)
In other words, this application is consistent with an "Owner Override".
>verifying that users have not excercised their god-given
>right to install spy-ware and viruses (since they're running with
>administrative priviledges, aren't they?),
It sounds like the threat model is that the sysadmins don't trust the
users of the machine. So why are the sysadmins giving users administrator
or root access to the machine? It sounds to me like the real problem
here is a broken security architecture that doesn't match up to the
security threat, and remote attestation is a hacked-up patch that's not
going to solve the underlying problems. But that's just my reaction,
without knowing more.
In any case, this application is also consistent with owner-directed
remote attestation or an "Owner Override".
>and satisfying a consumer
>that the server they're connected to is (or isn't) running software
>that
>records has adequate security domain protections to protect the users
>data (perhaps backup files) the user entrusts to the server.
If I don't trust the administrators of that machine to protect sensitive
data appropriately, why would I send sensitive data to them? I'm not
sure I understand the threat model or the problem statement.
But again, this seems to be another example application that's compatible
with owner-directed remote attestation or an "Owner Override".
Summary: None of these applications require full-strength
(third-party-directed) remote attestation. It seems that an "Owner
Override" would not disturb these applications.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list