I, for one, can vouch for the fact that TCPA could absolutely
be applied to a DRM application. In a previous life I actually
designed a DRM system (the company has since gone under). In
our research and development in '96-98, we decided that you need
at least some trusted hardware at the client to perform any DRM,
but if you _did_ have some _minimal_ trusted hardware, that would
provide a large hook to a fairly secure DRM system.
Check the archives of, IIRC, coderpunks... I started a thread entitled
The Black Box Problem. The issue is that in a DRM system you (the
content provider) wants to verify the operation of the client, even
though the client is not under your control. We developed an online
interactive protocol with a sandbox environment to protect content,
but it would certainly be possible for someone to crack it. Our
threat model was that we didn't want people to be able to use a hacked
client against our distributation system.
We discovered that if we had some trusted hardware that had a few key
functions (I don't recall the few key functions offhand, but it was
more than just encrypt and decrypt) we could increase the
effectiveness of the DRM system astoundingly. We thought about using
cryptodongles, but the Black Box problem still applies. The trusted
hardware must be a core piece of the client machine for this to work.
Like everything else in the technical world, TPCA is a tool.. It is
neither good nor bad; that distinction comes in how us humans apply
the technology.
-derek
Lucky Green [EMAIL PROTECTED] writes:
Anonymous writes:
Lucky Green writes regarding Ross Anderson's paper at:
Ross and Lucky should justify their claims to the community
in general and to the members of the TCPA in particular. If
you're going to make accusations, you are obliged to offer
evidence. Is the TCPA really, as they claim, a secretive
effort to get DRM hardware into consumer PCs? Or is it, as
the documents on the web site claim, a general effort to
improve the security in systems and to provide new
capabilities for improving the trustworthiness of computing platforms?
Anonymous raises a valid question. To hand Anonymous additional rope, I
will even assure the reader that when questioned directly, the members
of the TCPA will insist that their efforts in the context of TCPA are
concerned with increasing platform security in general and are not
targeted at providing a DRM solution.
Unfortunately, and I apologize for having to disappoint the reader, I do
not feel at liberty to provide the proof Anonymous is requesting myself,
though perhaps Ross might. (I have no first-hand knowledge of what Ross
may or may not be able to provide).
I however encourage readers familiar with the state of the art in PC
platform security to read the TCPA specifications, read the TCPA's
membership list, read the Hollings bill, and then ask themselves if they
are aware of, or can locate somebody who is aware of, any other
technical solution that enjoys a similar level of PC platform industry
support, is anywhere as near to wide-spread production as TPM's, and is
of sufficient integration into the platform to be able to form the
platform basis for meeting the requirements of the Hollings bill.
Would Anonymous perhaps like to take this question?
--Lucky Green
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
--
Derek Atkins
Computer and Internet Security Consultant
[EMAIL PROTECTED] www.ihtfp.com
