hiding attestation from the consumer

John Gilmore gnu at toad.com
Wed Dec 31 01:16:38 EST 2003


>There isn't really any security benefit obtained by hiding
>the content of the attestation _from the party providing it_!

This statement reveals confusion between the "parties".  There are at least
three parties involved in an attestation:

  *  The DRM'd product vendor (somewhere on the net)
  *  The consumer (sitting at their PC)
  *  The PC hardware and software vendors (building attestation in)

There are strong reasons to hide the content of the attestation -- or
even its mere existence -- from the consumer party.  If consumers knew
their PCs were spying on them and letting vendors say, "Sorry, our
server is down today" not because the server is down, but because the
consumer's PC is blacklisted, then consumers would be upset.  It's a
much simpler "customer relations" problem if it just doesn't happen to
work, without the consumer ever finding out that they live in a
redlined neighborhood and it will NEVER work for them.

It's really easy to infer that DRM problems are going to be
deliberately inscrutable.  You don't see DRM vendors advertising the
restrictions on their products.  These restrictions aren't in boldface
in the table of contents.  They're hidden deep in the guts of the
manual, if they appear at all.  (In the list of error messages is
where you usually find 'em, with a very brief mention.)  It's the
consumer's fault, or their ISP's fault, or somebody else's, if the
site doesn't work for you.  If your DAT recorder won't record, you
must have cabled it up wrong.  If your HDTV won't work, you ran it
through your VCR by mistake.  And if your music site won't download to
you, you must have installed your software wrong, or there's a
firewall problem, or your codecs are incompatible, or something.  When
the entire goal is to covertly change consumer behavior, by making
things that are utterly legal simply NOT WORK, plain language about
the restrictions has no place.  Consumer problems caused by DRM are
seldom advertised, documented, or reported as the DRM's fault.

You can get a similar effect merely by turning off cookies and
JavaScript today.  (You *do* use a browser that has simple switches to
turn these off, right?  Mozilla is your friend, and it runs on your
platform.)  Web sites will start to fail at random, in inscrutable
ways.  Only about 1% of them will tell you "This site requires
JavaScript" -- and of those that do, only about a quarter of them
actually do require it.

	John Gilmore

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list