[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Restricted storage

From: Jonathan S. Shapiro
Subject: Re: Restricted storage
Date: Thu, 01 Jun 2006 16:51:45 -0400

On Thu, 2006-06-01 at 22:26 +0200, Michal Suchanek wrote:
> > Easy: In one case, they *only* need to rely on the OS+TC builders. In
> > the other case, they need to rely on OS+TC+Installer. One dependency set
> You deliberately enlarge the second group. Only the OS and the
> Installer (machine owner) belong ot the second group.

First, as I clarified in a later note, I got the list above wrong. It
should be:

        TC+OS vs. OS+Installer+Admnistrator

You tend to assume that Installer == Administrator == Owner, and this is
fine as a simplifying assumption, but note that this often is not true
in practice. I am going to assume that the person who did the install
was smart enough to run the CD install process correctly, which will let
me focus on the "Administrator".

If we know the Administrator, and we believe that they engage in fully
reliable administration, OR we believe that the machine is fully
disconnected (no network, no new software installs), OR we believe that
the administrator is somehow restricted to acting through "safe"
administrative tools, then you may be correct that

        OS+Administrator < TC+OS

In my experience, the set of fully reliably administrators is a set of
size zero. The set of network-disconnected machines is a much larger
set, but I don't think we would be satisfied with a "safe only when
disconnected" design. Redmond has already produced one of those.

So in the design space of interest, we must assume "network connected",
and *I* assume that the Administrator is human and fallible. The
question now is: what can we assume about the administrative tools?

In the absence of TC, the answer in the *general* case is "nothing".
Therefore, we must conservatively assume that the entire machine is
compromised in the absence of direct knowledge of the Administrator.

Under these conditions, we would necessarily conclude the following
about our two options:

        TC+OS <<<< OS+Administrator

> And I personally do not find much confidence in the TC. It turned out
> that CAs for SSL aren't very trustworthy, and I do not see any
> principial difference between the CA scheme and the TC scheme.

This depends greatly on the CA, and the CA process for TC chips has been
much more carefully handled than the one for SSL.

> I would say that in the other case the TC is the weak link....

What empirical evidence can you offfer to support this assumption? It
seems very unlikely on many grounds.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]