Re: TPM cost constraint [was: RE: Revenge of the WAVEoid]

[Eric Murray]

On Sun, Jul 07, 2002 at 07:13:54AM -0700, Optimizzin Al-gorithym wrote:
 At 07:05 PM 7/6/02 -0700, Lucky Green wrote:,
 Adding the cost of an EMBASSY or SEE environment to the,purchase of
 every new PC is more than the market for bare-bones or even,mid-range
 PC's will bear.,,--Lucky,
 
 Too bad PCMCIA cardreaders aren't widespread, then a bank could give
 away smartcards
 which would be arguably more secure than browserware.

Smartcards are more secure than browsers.  But normal cardreaders
don't keep malware that's on the PC from accssing the card.  It can snoop
on the user's PIN, or in the case of the few cardreaders that keep the PIN
local, wait for the card to be unlocked and then use it for illegitimate
purposes.  The smartcard still depends on the security of the PC.
It's not any more secure than the PC, its just portable.  That hasn't
been enough to make smartcards take off for PC-based applications.

A few companies have made secure smartcard readers that prevent this
type of attack.  One of those was N*able Technologies, which Wave bought
in '99.  The current EMBASSY chip is one that N*Able designed.  I was
Nable's chief architect.  I left after the buyout.  Nable's system was
for secure commerce, not DRM, but as a secure building block it can be
used for lots of things.

I don't know WAVE's pricing for the current EMBASSY chip, but based on
prices for earlier Nable chips, I'd guess that they could sell it for
$5-10 in quantity.  That's still a significant adder to the cost of a
motherboard.   But it isn't insurmountable.   The beneficiary pays for it,
not the end user.  All it takes is one customer who can get enough value
from it to make it worthwhile.  Microsoft is a good example... simply
increasing their license payment rate for Word from 50% of users to 60%
would make them more than enough $$ to cover the cost of an EMBASSY or
similar in most PCs.  The potential anti-competitive side effects then
come for free.

Of course marketing for PCs will attempt to get users to pay more
for the security enhanced DRM-equipped PCs.  But the added cost
doesn't need to be paid by the users to make it viable.

Eric

Re: TPM cost constraint [was: RE: Revenge of the WAVEoid]

[Optimizzin Al-gorithym]

At 07:05 PM 7/6/02 -0700, Lucky Green wrote:,
Adding the cost of an EMBASSY or SEE environment to the,purchase of
every new PC is more than the market for bare-bones or even,mid-range
PC's will bear.,,--Lucky,

Too bad PCMCIA cardreaders aren't widespread, then a bank could give
away smartcards
which would be arguably more secure than browserware.

TPM cost constraint [was: RE: Revenge of the WAVEoid]

[Lucky Green]

Bill wrote:
 At 10:07 PM 06/26/2002 -0700, Lucky Green wrote:
 An EMBASSY-like CPU security co-processor would have seriously blown 
 the part cost design constraint on the TPM by an order of 
 magnitude or 
 two.
 
 Compared to the cost of rewriting Windows to have a 
 infrastructure that can support real security?  Maybe, but 
 I'm inclined to doubt it, especially since most of the 
 functions that an off-CPU security co-processor can 
 successfully perform are low enough performance that they 
 could be done on a PCI or PCMCIA card, without requiring motherboard 
 space.

Upon re-reading the paragraph I wrote, I can see how the text might have
been ambiguous. I was trying to express that there was a cost constraint
on the part. Adding the cost of an EMBASSY or SEE environment to the
purchase of every new PC is more than the market for bare-bones or even
mid-range PC's will bear.

--Lucky