On Thu, 15 Aug 2002, Lucky Green wrote:
Hopefully some of those people will not limit themselves to hypothetical
attacks against The Spec, but will actually test those supposed attacks
on shipping TPMs. Which are readily available in high-end IBM laptops.
But doesn't the owner of the box create the master key for it? They
imply that in their advertising, but I've not seen anything else
about it. It was advertised to be protection for corporate data, not
a DRM/control type thing. It would be very interesting to know the
details on that.
I found this:
http://www.pc.ibm.com/ww/resources/security/securitychip.html
but the link to IBM Embedded Security Subsystem goes to page
not found.
but this one:
http://www.pc.ibm.com/ww/resources/security/secdownload.html
says in part:
IBM Client Security Software is available via download from the Internet
to support IBM NetVista and ThinkPad models equipped with the Embedded
Security Subsystem and the new TCPA-compliant Embedded Security Subsystem
2.0. By downloading the software after the systems have been shipped, the
customer can be assured that no unauthorized parties have knowledge of the
keys and pass phrases designated by the customer.
So it looks like IBM is ahead of Microsoft on this one. but if
TCPA isn't fully formalized, what does TCPA-compliant mean?
In any case, they imply here that the customer needs to contact
IBM to turn the thing on, so it does seem that IBM has some kind
of master key for the portable. I wonder if they mean IBM is
authorized to know the customer's keys?
Patience, persistence, truth,
Dr. mike
