> Presumably the "proper hardware" must also be tamperproof (or some vital
> parts of the OS must run on tamperproof hardware).
A couple of observations on this that I think I can safely make.
There is always a point at which one draws a line and says: from here down
I trust. Where that line sits depends on the needs of your application.
There is always a point at which one draws a line and says: from here down I trust. Where that line sits depends on the needs of your application.For many applications, it suffices to establish with confidence that you are running on a hardware implementation of a certain instruction set (i.e. a Pentium or an AMD chip as distinct from an emulator), and that the BIOS was an acceptable BIOS. For others, one might decide it was sufficient that the user had, say, EROS installed on their disk and not worry about data forensics against the drive.
I do not believe that trusting a completely wide-open platform is a good idea. Tyler clearly feels (and has stated) that a number of reasonable eCommerce applications can run with satisfactory guarantees under existing operating systems. For two reasons I do not believe this:
The main problem is that the incentive structure is wrong -- there are STRONG incentives for the user to install new software in ignorance. Stipulating that my view is purely subjective, I am much happier with a position that says: "... provided the user doesn't engage in data forensics" or perhaps "provided the user doesn't reflash the BIOS prom."
It's not that I want the security to be perfect; security is a problem in economic tradeoffs. It's rather that I want the line to be drawn in a place that seems consistent with the incentives experienced by the "responsible" parties.
Jonathan S. Shapiro, Ph. D.
Research Staff Member
IBM T.J. Watson Research Center
Phone: +1 914 784 7085 (Tieline: 863)
Fax: +1 914 784 7595
Ben Laurie <email@example.com> on 11/03/99 07:13:59 AM
To: Jonathan S Shapiro/Watson/IBM@IBMUS
Subject: Re: Thoughts on droplets
> > How do we ascertain that it is, in fact, running on tamper-proof
> > hardware?
> You engage in a challenge/response protocol with the tamperproof card.
> the card verifies that a proper OS is running on proper hardware is
> something I cannot comment on at this time.
Presumably the "proper hardware" must also be tamperproof (or some vital parts of the OS must run on tamperproof hardware).
I see two interesting issues here:
-- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi