Dell to Add Security Chip to PCs
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Feb 4 06:47:58 EST 2005
Erwann ABALEA <erwann at abalea.com> writes:
>I've read your objections. Maybe I wasn't clear. What's wrong in installing a
>cryptographic device by default on PC motherboards? I work for a PKI 'vendor',
>and for me, software private keys is a nonsense.
A simple crypto device controlled by the same software is only slightly less
nonsensical. That is, the difference between software-controlled keys and a
device controlling the keys that does anything the software tells it to is
negligible. To get any real security you need to add a trusted display, I/O
system, clock, and complete crypto message-processing capability (not just
"generate a signature" like the current generation of smart cards do), and
that's a long way removed from what TCPA gives you.
>You could obviously say that Mr Smith won't be able to move his certificates
>from machine A to machine B, but more than 98% of the time, Mr Smith doesn't
>need to do that.
Yes he will. That is, he may not really need to do it, but he really, really
wants to do it. Look at the almost-universal use of PKCS #12 to allow people
to spread their keys around all over the place - any product aimed at a mass-
market audience that prevents key moving is pretty much dead in the water.
>Installing a TCPA chip is not a bad idea.
The only effective thing a TCPA chip gives you is a built-in dongle on every
PC. Whether having a ready-made dongle hardwired into every PC is a good or
bad thing depends on the user (that is, the software vendor using the TCPA
device, not the PC user).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list