Computer "health certificate" plan: Charney of DoJ/MS

John Gilmore gnu at
Thu Oct 7 06:16:28 EDT 2010

BBC reports that Microsoft's idea seems to be that if your computer
doesn't present a valid "health certificate" to your ISP, then your
ISP wouldn't let it be on the net, or would throttle it down to a tiny
bandwidth.  The Health Certificate would, of course, be provided by
Intel and Microsoft, but only from machines with Treacherous Computing
hardware, after examining everything in your computer to make sure
Intel and Microsoft approve of it all.  (This is the same DRM
procedure they've been pushing for a decade -- the system would
cryptographically "attest" to arbitrary information about what's
running in your machine, using proprietary hardware and software you
have no control over and no ability to inspect, and the outsiders
would decide not to deal with you if they didn't like your
attestation.  The only change is that they've revised their goal from
"record companies won't sell you a song if you won't attest" to
"nobody will give you an Internet connection if you won't attest".)
Homebrew computers and Linux machines need not apply.  They don't
explain how this would actually be implemented -- in Ethernet
switches?  In DSL routers or NAT boxes?  In ISP servers?  They're not
quite sure whether the health certificate should *identify* your
device, but they're leaning in that direction.  But they're quite sure
that it all needs doing, by voluntary means or government coercion,
and that the resulting info about your "device health" should be
widely shared with governments, corporations, etc.

This proposal comes from Microsoft VP Scott Charney, well known to
many of us as the former Chief of the Computer Crime and Intellectual
Property Section in the Criminal Division of the U.S. Department of
Justice, or as he puts it, "the leading federal prosecutor for
computer crimes from 1991 to 1999".  He joined Microsoft in 2002 and
is running their "Treacherous Computing" effort as well as several
other things.

The vision that Charney is driving is described in six papers
here (one of which is the one the BBC is covering):

He's pushing the "Public Health Model" because public health
bureacracies have huge, largely unchecked powers to apply force to
people who they disfavor.  Along those lines, he converts the public
health departments' most draconian measure, used only in extreme
circumstances - quarantine - into the standard procedure for his New
Internet: quarantine EVERY device -- unless and until it "proves" that
it should evade the quarantine.

In his "Establishing End to End Trust" paper (another of the six), he
lays out the computer security problem and decides that defense isn't
enough; authentication, identification, and widespread auditing are
the next step in solving it.  He concludes:

  As we become increasingly dependent on the Internet for all our
  daily activities, can we maintain a globally connected, anonymous,
  untraceable Internet and be dependent on devices that run arbitrary
  code of unknown provenance?  If the answer to that is "no," then we
  need to create a more authenticated and audited Internet environment
  -- one in which people have the information they need to make good
  trust choices.

He makes halfhearted attempts to address privacy and anonymity issues,
but ultimately decides that those decisions will be made somewhere
else (not by the user or consumer, of course).  His analysis
completely ignores the incentives of monopoly hardware and software
providers; of corrupt governments such as our own; of even honest
governments or citizens desiring to act secretly or without
attribution; of advertisers; of the copyright mafia; of others
actively hostile to consumer and civil freedom; and of freedom-
supporting communities such as the free software movement.  It ignores
DRM, abuse of shrink-wrap contracts, copyright maximalization,
censorship, and other trends in consumer abuse.  It's designed by a
career cop/bureaucrat/copyright-enforcer and implemented by a
monopolist - hardly viewpoints friendly to freedom.

I'd recommend merely ignoring his ideas til they sink like a stone.
But it looks like Intel and Microsoft are actively sneaking up on the
free Internet and the free 10% of the computer market by building in
these techniques and seeking partnerships with governments, ISPs,
telcos, oligopolists, etc to force their use.  So some sort of active
opposition seems appropriate.

Perhaps Linux systems should routinely delete all the
manufacturer-provided device attestation and identification keys from
every Treacherous Computing device they ever boot on.  (This won't
affect keys that the *user* stores in their TPM if they want to.)  If
a significant part of the Internet is physically incapable of
attesting to the monopolists, ISPs will never be able to require such
attestation.  I've certainly deleted those keys on my own PCs that
came with such crap -- so far, no downside.  Let's keep it that way.

Security measures should report to the system owner -- not to the ISP
or the manufacturer.  The owner of the machine should determine which
software it's appropriate for it to run.  This whole idea of
collectivist "approval" of your computing environment gives me the
willies.  In their model, you'd be perfectly free to write a new piece
of software, sort of the way you are perfectly free to design and
build a new house.  First you spend tens of thousands of dollars on a
government-licensed architect and a similarly licensed structural
engineer.  Then you submit your plans to a bureaucrat, and wait.  And
wait.  And they demand changes.  And you negotiate, but they really
don't care what you want; you NEED their approval.  So you wait some
more, then give in to whatever they want.  Don't forget to use union
labor to build your software -- it'll be required.  And any bureaucrat
can come by after an alcoholic lunch to "inspect" your software -- and
if you don't properly kiss their ass and/or bribe them, their "red
tag" will physically keep your software from being usable on every
computer.  Periodically politicians will write bizarre new
requirements into the rules (e.g. you can't use PVC pipe because that
would put local plumbers out of work; or you can't use portable
languages because then your software might run on competing platforms),
and you'll just have to follow orders.  At least that's how the
Planning Department and Building Inspection Department work here in
San Francisco.  I don't see why a software monopoly enforced from the
top would work any different.  Writing software for any Apple platform
except the Mac is already like that.

	John Gilmore

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list