example: secure computing kernel needed
David Wagner
daw at taverner.cs.berkeley.edu
Sat Dec 20 20:08:48 EST 2003
William Arbaugh wrote:
>On Dec 16, 2003, at 5:14 PM, David Wagner wrote:
>> Jerrold Leichter wrote:
>>> We've met the enemy, and he is us. *Any* secure computing kernel
>>> that can do
>>> the kinds of things we want out of secure computing kernels, can also
>>> do the
>>> kinds of things we *don't* want out of secure computing kernels.
>>
>> I don't understand why you say that. You can build perfectly good
>> secure computing kernels that don't contain any support for remote
>> attribution. It's all about who has control, isn't it?
>>
>There is no control of your system with remote attestation. Remote
>attestation simply allows the distant end of a communication to
>determine if your configuration is acceptable for them to communicate
>with you.
But you missed my main point. Leichter claims that any secure kernel is
inevitably going to come with all the alleged harms (DRM, lock-in, etc.).
My main point is that this is simply not so.
There are two very different pieces here: that of a secure kernel, and
that of remote attestation. They are separable. TCPA and Palladium
contain both pieces, but that's just an accident; one can easily imagine
a Palladium-- that doesn't contain any support for remote attestation
whatsoever. Whatever you think of remote attestation, it is separable
from the goal of a secure kernel.
This means that we can have a secure kernel without all the harms.
It's not hard to build a secure kernel that doesn't provide any form of
remote attestation, and almost all of the alleged harms would go away if
you remove remote attestation. In short, you *can* have a secure kernel
without having all the kinds of things we don't want. Leichter's claim
is wrong.
This is an important point. It seems that some TCPA and Palladium
advocates would like to tie together security with remote attestion; it
appears they would like you to believe you can't have a secure computer
without also enabling DRM, lock-in, and the other harms. But that's
simply wrong. We can have a secure computer without enabling all the
alleged harms. If we don't like the effects of TCPA and Palladium,
there's no reason we need to accept them. We can have perfectly good
security without TCPA or Palladium.
As for remote attestion, it's true that it does not directly let a remote
party control your computer. I never claimed that. Rather, it enables
remote parties to exert control over your computer in a way that is
not possible without remote attestation. The mechanism is different,
but the end result is similar.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list