Re: Physical access without ultimate power? (was Re: Design principles and ethics (was [...])))

[Bas Wijnen]

On Sun, Apr 30, 2006 at 08:10:07PM +0200, Pierre THIERRY wrote:
> > Anyone who can power the machine down and take the hard drive to
> > inspect it has ultimate power.
> 
> With encryption and a TC chip, it seems not.

As I wrote just above that, I was ignoring those. :-)  But perhaps Jonathan
was thinking only of cases including this chip...  Well, this chip gives some
extra possibilities, and I don't think I really care about them.  In any case
I think we can build a very good system without it.  It feels like it becomes
worse with it (and with support for remote attestation, etc), but that's just
a feeling.

> > However, while the system is running things are different.  The system
> > _can_ prevent anyone (including the machine owner) from accessing
> > data.
> 
> The problem was: if you cannot verify this, you cannot rely on this.

You can if you are the machine owner, which is usual for systems with really
sensitive data.  And you can trust the machine owner of a different computer
to not use this information.  You can also use contracts or other legal means
if you think trust is not enough.  With this chip, it's possible to verify it
technically, but this results among other things in the fact that the machine
owner can no longer upgrade his machine in case a bug is found in the critical
parts.  It is not possible to transfer the data to the upgraded version,
because the "upgrade" may consist of opening security holes for the
administrator, so he can get the data out.  So this locks the data down in a
way which is IMO undesirable.

> So it all boils down to be able to certify that unneeded authority of the
> machine owner (like authority to inspect every process' space bank) has been
> given out.

If you allow such verification, and use it effectively, you give up your
rights to modify the software, your possibility to make effective backups, and
your possibility to install bug fixes.  All this for a benefit which is
unusable for many people.  The most important use case for it is in fact
something we don't actually want to support anyway, namely DRM.

Thanks,
Bas

-- 
I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see http://129.125.47.90/e-mail.html

signature.asc
Description: Digital signature