On Sun, Apr 30, 2006 at 08:10:07PM +0200, Pierre THIERRY wrote: > > Anyone who can power the machine down and take the hard drive to > > inspect it has ultimate power. > > With encryption and a TC chip, it seems not.
As I wrote just above that, I was ignoring those. :-) But perhaps Jonathan was thinking only of cases including this chip... Well, this chip gives some extra possibilities, and I don't think I really care about them. In any case I think we can build a very good system without it. It feels like it becomes worse with it (and with support for remote attestation, etc), but that's just a feeling. > > However, while the system is running things are different. The system > > _can_ prevent anyone (including the machine owner) from accessing > > data. > > The problem was: if you cannot verify this, you cannot rely on this. You can if you are the machine owner, which is usual for systems with really sensitive data. And you can trust the machine owner of a different computer to not use this information. You can also use contracts or other legal means if you think trust is not enough. With this chip, it's possible to verify it technically, but this results among other things in the fact that the machine owner can no longer upgrade his machine in case a bug is found in the critical parts. It is not possible to transfer the data to the upgraded version, because the "upgrade" may consist of opening security holes for the administrator, so he can get the data out. So this locks the data down in a way which is IMO undesirable. > So it all boils down to be able to certify that unneeded authority of the > machine owner (like authority to inspect every process' space bank) has been > given out. If you allow such verification, and use it effectively, you give up your rights to modify the software, your possibility to make effective backups, and your possibility to install bug fixes. All this for a benefit which is unusable for many people. The most important use case for it is in fact something we don't actually want to support anyway, namely DRM. Thanks, Bas -- I encourage people to send encrypted e-mail (see http://www.gnupg.org). If you have problems reading my e-mail, use a better reader. Please send the central message of e-mails as plain text in the message body, not as HTML and definitely not as MS Word. Please do not use the MS Word format for attachments either. For more information, see http://129.125.47.90/e-mail.html
signature.asc
Description: Digital signature
_______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
