[16811] in cryptography@c2.net mail archive
RE: Dell to Add Security Chip to PCs
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Fri Feb 4 12:48:02 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: erwann@abalea.com, ptrei@rsasecurity.com
Cc: camera_lumina@hotmail.com, cryptography@metzdowd.com,
cypherpunks@al-qaeda.net, rah@shipwright.com
In-Reply-To: <Pine.LNX.4.58.0502031431080.6276@shining.seclogd.org>
Date: Sat, 05 Feb 2005 00:47:58 +1300
Erwann ABALEA <erwann@abalea.com> writes:
>I've read your objections. Maybe I wasn't clear. What's wrong in installing a
>cryptographic device by default on PC motherboards? I work for a PKI 'vendor',
>and for me, software private keys is a nonsense.
A simple crypto device controlled by the same software is only slightly less
nonsensical. That is, the difference between software-controlled keys and a
device controlling the keys that does anything the software tells it to is
negligible. To get any real security you need to add a trusted display, I/O
system, clock, and complete crypto message-processing capability (not just
"generate a signature" like the current generation of smart cards do), and
that's a long way removed from what TCPA gives you.
>You could obviously say that Mr Smith won't be able to move his certificates
>from machine A to machine B, but more than 98% of the time, Mr Smith doesn't
>need to do that.
Yes he will. That is, he may not really need to do it, but he really, really
wants to do it. Look at the almost-universal use of PKCS #12 to allow people
to spread their keys around all over the place - any product aimed at a mass-
market audience that prevents key moving is pretty much dead in the water.
>Installing a TCPA chip is not a bad idea.
The only effective thing a TCPA chip gives you is a built-in dongle on every
PC. Whether having a ready-made dongle hardwired into every PC is a good or
bad thing depends on the user (that is, the software vendor using the TCPA
device, not the PC user).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
