example: secure computing kernel needed

bear bear at sonic.net
Mon Dec 15 18:25:23 EST 2003 


On Sun, 14 Dec 2003, Jerrold Leichter wrote:

>Which brings up the interesting question:  Just why are the reactions to TCPA
>so strong?  Is it because MS - who no one wants to trust - is involved?  Is
>it just the pervasiveness:  Not everyone has a smart card, but if TCPA wins
>out, everyone will have this lump inside of their machine.

It is because this lump which we have no control over (aside from
the trivial degree of control implied by simply refusing to use it
at all) is proposed for presence inside machines which we use for
doing things important to us.

Most of us have a relatively few applications for such a device,
and we want to keep those applications completely separate from our
other use of our computers.  A dongle is more acceptable than the
TCPA hardware because it can be detached from the computer leaving
a usable machine, and because in order to reach a broad market you
cannot write software assuming its existence.

I would not object to a tamper-resistant stainless-steel
hardware token that I needed to carry with me in order to access
financial transactions (or whatever).  That's a hardware token
with a single application, which is not at all mixed up with or
involved with the fundamental hardware or software that I depend
on for all my other applications.

But I do object, in strongest possible terms, to the proposal to
weld some device into my personal computer, give it the highest
privelege mode, allow it to read or write arbitrary data on the
bus or the network interface, forbid me from looking inside it
or altering its contents, and allow it to communicate on my behalf
to unknown hosts over the internet.

I like to think that I am the person who owns my machine and that
ownership carries with it the privelege of deciding what to run
or not run on it.  TCPA assigns to others the privelege of blocking
basic, ordinary functionality if they don't know or like some
program I'm running.  But what programs I'm running on my machine
in my home is not their business unless they are trying to literally
take control of my machine away from me.

If they've got stuff that needs to be done in a secure environment
and they don't trust me to run a machine to do it on, let them run
it on their own machines rather than taking mine over by proxy.
Fair's fair; *I* own this one; *They* own that one.  What either
of us doesn't trust the other with, we must run ourselves.

I believe that if TCPA or something like it is adopted, vendors
will respond by ceasing to make any applications that are at all
useful on machines where it is not present, enabled, and loaded
with some specified default configuration that basically gives
them all ownership rights to my machines.  In a world where basic
functionality depends on such applications, no one has any choice
any more about whether to enable it or what to run on it.

>I think many of the reasons people will give will turn out, on close
>reflection, to be invalid.  Sure, you can choose not to buy software that uses
>dongles - and you'll be able to chose software that doesn't rely on TCPA.

I do not believe that the long-term goals of the TCPA partners are
consistent with the continued feasability of operating machines
that don't rely on TCPA.

>I think the real threat of TCPA is not in any particular thing it does, but in
>that it effect 'renders the world safe for dongles".  MS *could* today require
>that you have a dongle to use Word - but to do so, even with their monopoly
>power, would be to quickly lose the market.  Dongles are too inconvenient, and
>carry too much baggage.  But when the dongle comes pre-installed on every
>machine, the whole dynamic changes.

Indeed.  I cannot comprehend that you have such a complete grasp of
the problem but don't find that a very compelling argument *against*
the TCPA mechanism.

Remember that the world suffered through seven centuries of imprimatures
before freedom of the press was recognized as fundamental to liberty. I
think that freedom and self-determination in computing applications is
equally important and that the TCPA is a step toward a technology that
would enable the same kind of struggle over that freedom.

A secure kernel is a kernel that the *owner* of the machine can trust.

				Bear

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list