lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20021220003507.GE2338@localhost>
From: Simon.Richter at hogyros.de (Simon Richter)
Subject: Trustworthy Computing Mini-Poll

Hi Andrew,

On Thu, Dec 19, 2002 at 09:06:58AM +0200, Andrew Thomas wrote:
>> form a lobby group and ask for the "owner + web of trust"
>> solution. It is technically doable and in the line of liberalism, so I think it
>> has a good chance of becoming law.

> I might be missing something, but how does software/hardware limitation of
> personal control fall under the description of 'in the line of liberalism'? 

I was talking about the "web of trust model", where the owner of the
computer decides whom to trust as an introducer and whom to trust as a
software vendor. So this doesn't in fact limit your personal control
over what software runs on your computer, as you can always sign it
yourself. Since a lot of users do not (want to) understand what a web of
trust is, a number of "trust centers" will pop up, competing for
software developers (=> reasonable price). The OSS people will simply
use their own web of trust, and people wishing to install OSS software
can also enter this web at the next signing party or compile and sign
the software themselves. The only thing that is bad about being
liberalist here is that M$ gets to decide whose keys they ship with
Windows -- but as long as the user is able to install new keys and
express trust into them, users will still vote with their feet (if M$'s
pricing is unresonable, we tell people to install a certain key in the
manual -- and that key will probably belong to a group of software
developers).

On the copy protection side, customers will have the choice between
buying combo hardware (DVD drive, gfx card, sound card, special cable
inbetween, all from the same vendor) and using a non-TCPA CPU or
selecting hardware from different vendors and using a TCPA CPU. In fact
I think the copy protection features in the TCPA hardware will be born
dead, since a hardware-only scheme is much cheaper, and customers will
be happy about the CPU time saved by decoding that MPEG stuff in hardware.

I'm still wondering whether TCPA or the hardware schemes are in fact
weaker -- TCPA can probably be cracked in software, but OTOH a lot of
the hardware solutions will be security-by-obscurity or at least one of
them may have a small flaw (a chosen-plaintext attack may be enough of a
hole for a mod chip).

> To answer your question, I would personally be quite happy for the technology to
> be developed, as long as it wasn't forced on me by law.

Would you buy/use it if you had the choice? I mean, there are a lot of
advantages... :-)

   Simon

-- 
GPG Fingerprint: 040E B5F7 84F1 4FBC CEAD  ADC6 18A0 CC8D 5706 A4B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20021220/a15e1f87/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ