Unforgeable Blinded Credentials

Hal Finney hal at finney.org
Wed Apr 5 19:25:13 EDT 2006 

John Gilmore writes:
> > I am aware of, Direct Anonymous Attestation proposed for the Trusted
> > Computing group, http://www.zurich.ibm.com/security/daa/ .
>
> > DAA provides
> > optionally unlinkable credential showing and relies on blacklisting to
> > counter credential sharing.
>
> Hmm, why doesn't this blacklisting get mentioned in IBM's DAA page?

They don't use that term, rather they refer to "rogue" TPMs.  This means
TPM keys which have been compromised in some way.  The implication is
that such keys would, once identified, be shut out from the system,
and presumably this would be done by a blacklist.

> What sort of blacklist would this be?  What actions would being listed
> on it trigger?

I don't think the operational details of this are worked out, but I
don't follow this area closely.  No doubt this is part of why none of
these systems have been fielded.  (Computers do get sold with TPMs in
them but the enormous infrastructure envisioned by the Trusted Computing
group is not in place.)

In principle, if your TPM's key got put on this blacklist, it would
prevent you from access to whatever resources require a valid TPM.
What resources those might be would depend on how and where this
technology is used, if it ever is.  But having a blacklisted TPM would
be like not having a TPM at all, in terms of access to network resources.

It may be a little more complex than this, because the DAA protocol
has a couple of different modes in which it may be used.  Rather than
a global blacklist, each TPM-requiring service might maintain its own
local blacklist of rogue TPM identifiers.  Actually I would expect there
to be both kinds of blacklists: a global one based on TPM private keys
which have been scraped and published; and a local one based on TPM
public identifiers (zeta^f values where f is the TPM private key and
zeta is a unique per-site constant) that the site decides are being used
suspiciously often, suggesting that they are being shared by a group.

Hal Finney

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list