[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Restricted storage
|
From: |
Michal Suchanek |
|
Subject: |
Re: Restricted storage |
|
Date: |
Tue, 6 Jun 2006 17:29:02 +0200 |
On 6/1/06, Jonathan S. Shapiro <address@hidden> wrote:
On Thu, 2006-06-01 at 22:26 +0200, Michal Suchanek wrote:
In my experience, the set of fully reliably administrators is a set of
size zero. The set of network-disconnected machines is a much larger
set, but I don't think we would be satisfied with a "safe only when
disconnected" design. Redmond has already produced one of those.
So in the design space of interest, we must assume "network connected",
and *I* assume that the Administrator is human and fallible. The
question now is: what can we assume about the administrative tools?
In the absence of TC, the answer in the *general* case is "nothing".
Therefore, we must conservatively assume that the entire machine is
compromised in the absence of direct knowledge of the Administrator.
Under these conditions, we would necessarily conclude the following
about our two options:
TC+OS <<<< OS+Administrator
> And I personally do not find much confidence in the TC. It turned out
> that CAs for SSL aren't very trustworthy, and I do not see any
> principial difference between the CA scheme and the TC scheme.
This depends greatly on the CA, and the CA process for TC chips has been
much more carefully handled than the one for SSL.
> I would say that in the other case the TC is the weak link....
What empirical evidence can you offfer to support this assumption? It
seems very unlikely on many grounds.
In the end, the TC keys are still managed by an administrator. The set
of reliable administrators is zero (you said that :).
Even if you verify some chips, there is no guarantee that they will not
- start producing a new revision
- give away keys to sign something else than the chips
Plus there is the problem of signing all those chips. How whould an US
chip maufacturer manage that? Will they have the chips signed in
Taiwan and China, or will they first get all the zillions of chips
transported to the US and sign them there?
How much do you trust a chip signed in China?
Now in case of TC it either works for everybody or it fails for
everybody (or at least a substantial part of the world). But I find
the situation where things fail locally better than the one where
there are only large catastrophic failures.
Thanks
Michal
- Re: Restricted storage, (continued)
- Re: Restricted storage, Jonathan S. Shapiro, 2006/06/01
- Re: Restricted storage, Marcus Brinkmann, 2006/06/01
- Re: Restricted storage, Jonathan S. Shapiro, 2006/06/01
- Re: Restricted storage, Bas Wijnen, 2006/06/01
- Re: Restricted storage, Jonathan S. Shapiro, 2006/06/01
- Re: Restricted storage, Bas Wijnen, 2006/06/01
- Re: Restricted storage, Jonathan S. Shapiro, 2006/06/01
- Re: Restricted storage, Bas Wijnen, 2006/06/02
- Re: Restricted storage, Michal Suchanek, 2006/06/01
- Re: Restricted storage, Jonathan S. Shapiro, 2006/06/01
- Re: Restricted storage,
Michal Suchanek <=
- Re: Restricted storage, Jonathan S. Shapiro, 2006/06/06
- Re: Restricted storage, Michal Suchanek, 2006/06/07
- Re: Restricted storage, Jonathan S. Shapiro, 2006/06/07
- Re: Restricted storage, Michal Suchanek, 2006/06/08
- Re: Restricted storage, Marcus Brinkmann, 2006/06/01
- Re: Restricted storage, Jonathan S. Shapiro, 2006/06/01
- RE: Restricted storage, Christopher Nelson, 2006/06/05
- Re: Restricted storage, Marcus Brinkmann, 2006/06/05
- RE: Restricted storage, Christopher Nelson, 2006/06/05
- Re: Restricted storage, Marcus Brinkmann, 2006/06/05