MS White Paper Says Palladium not DRM

[Seth Johnson]

> http://www.theregister.co.uk/content/4/26231.html

MS white paper says Palladium open, clean, not DRM
By John Lettice
Posted: 17/07/2002 at 09:25 GMT


A final draft of Microsoft's Palladium consultation white
paper appears to have escaped, and is currently being hosted
by Neowin.net. Microsoft intends to open Palladium up for
discussion, but it's not as yet clear to us whether this
means it will be distributing the white paper to all and
sundry, or whether it envisages a more restricted
distribution list. In any event we haven't been able to nail
down anywhere on the Microsoft site you can get it,* or any
mention of the Microsoft Content Security Business Unit,
which authored it. 

There's much in the paper that's interesting, and it's even
interesting that it's in PDF format, rather than Word - the
authors are clearly having a bash at being ecumenical.
Palladium, it stresses, is not an operating system, but a
collection of trusted subsystems and components that are
opt-in. You will not get the advantages of Palladium if you
don't opt in, of course, but you don't have to. It's als
some years off, but one of the objectives is to make "a
Windows-based device a trustworthy environment for any
data." Which is a tall order. 

Software will have to be rewritten or specially developed to
take advantage of Palladium, and software of this class is
referred to as a Trusted Agent. Users will be able to
separate their data into "realms," which are analogous to
vaults and can have varying access and security criteria.
The system does not need to know who you are, indeed doesn't
really want to know who you are, because it's about
verifying the identity of machines. So a company could
identify an employee's home machine for secure operation
remotely on the corporate network. 

Then it gets really interesting. "Palladium will not require
Digital Rights Management (DRM) technology, and DRM will not
require Palladium... They are separate technologies." Now,
we know they don't need to be separate technologies, we know
that Palladium could enhance DRM considerably, and we
suspect that at least some people at Microsoft would take
this route if they thought they could get away with it. But
the authors here seem to have concluded that Palladium will
not fly if it has a whiff of DRM about it, and are
determined to distance themselves. This is good, people, if
we all keep shouting 'DRM bad!' they stand a chance of not
having their minds changed for them. 

Deeper into the Department of Bizarre Revolutions we have:
"A Palladium system will be open at all levels." The
hardware will "run any TOR" (Trusted Operating Root), the
TOR will run "trusted agents from any publisher," will "work
with any trusted service provider," (the authors envisage
this as a new service category) and it'll all be
independently verified. 

TOR source code will be published, Palladium will be
regularly examined "by a credible security auditor" and
anyone "can certify Palladium hardware or software, and we
expect that many companies and organizations will offer this
service." 

Of course, right now these are only words, the terms and
conditions for publication, verification and auditing
haven't been revealed, and Microsoft has a long and
inglorious record in Untrustworthy Industry Leadership to
overcome before we entirely buy the Trustworthy Computing
pitch. However, as far as it goes, this little lot sounds
plausible. If it were any other company, you might even be
inclined to take it at face value. Keep talking, people, and
prove you mean it. ® 

* We have, bizarrely, found an entirely unconnected
Palladium white paper on an entirely different Palladium
from Templar Corporation. You're probably not interested
(we're not), but it's here.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com