Transcript: Digital ID World - October 15, 2003

digital id world 2003

Trusted Computing: Foundation of Identity
October 15, 2003

Moderator: Eric Norlin, SVP Strategic Marketing, Ping Identity Corp
Steven Sprague, CEO, Wave
Peter Biddle, Security BU, NGSCB Microsoft

Norlin: I'm not sure exactly what makes me qualified to moderate except that I went to WINHEC and saw Peter demonstrate Palladium, Peter and his band of young hackers. And, it's a fascinating technology that I often find myself defending or attacking in various situations. So, what I thought we do, sometimes both at the same time actually. So, what I thought we'd do is take a couple minutes and let them each explain what their projects are. Talk about why trusted computing now, versus 10 years ago. How it will be deployed, etc. etc. And if Corey [Doctorow] is in the audience, and he is, we'll let Corey summarize the recent report that the EFF wrote on trusted computing and then kind of move into some interactions around that. So, get to the hot button topics. So, Peter, why don't you let everybody know what is you guys are doing.

Biddle: Okay, so the project we're working on that comes out of my group is called NGSCB or Next Generation Secure Computing Base. Some people occasionally pronounce that "Palladium," and I will not correct you if you do. If you just change all of the letters out and replace them with some other ones, you can pronounce it that way. And I say engscub because it's easier than actually spelling the letters. NGSCB is going to be in a future version of the Windows Operating System. It does use new hardware in order to provide for a much higher degree of security.

The threat model we're targeting is software attacks on the assets that are protected by the NGSCB environment. So that includes secrets that are stored by users or by software, credentials, applications themselves, the input and output paths - so keyboards, mice, and graphics - and it has the ability to also attest to the identity of code that's running, so that you can either locally or remotely say, "This is, in fact, what's running. This is what you need to trust, in order to trust the validity of this transaction."

Our primary focus in our first version is on enterprise customers. And we've spent a number of years, but in particular the past year, talking to a number of enterprise customers. We've done both focus groups with IT business decision makers; we did a focus group with a couple hundred; and we've also have done deep dives with over thirty major enterprises, multi-billion dollar enterprises - to talk with them about the technology, what's possible and also what's probable in version one. Right? We are a version one product, so a lot of the stuff that you've heard, maybe, about NGSCB is people capitalizing upon an opportunity to sort of imagine a future somewhere down the road, as opposed to something that lines up squarely with version one.

So the focus, our focus is on enterprise. And the thing we're finding very clearly in our discussions with enterprise customers is that perimeter security no longer works. The IT and security managers in those companies are losing seven of their good eight hours of sleep a night freaking out about the porosity of their enterprises. They have devices that are scattered all over the place; they don't know where they are. They have laptops that disappear for a week and come back and they think they're the same laptop, but they don't really know. They have CEOs using cell phones to do proxy e-mail, with no security, no WEP, no login. You can actually set these phones up so that they will put in the user credential once, and they don't require a user credential again until the phone is powered off. So in this case, we know of specific examples of what if a single cell phone were left at Starbucks on the counter, that person, somebody could pick it up and successfully impersonate the CEO, full access to e-mail, full access to databases, full access to hire/fire decisions, from that device until IT figured it out. Right, until somebody said, "Gee I've lost my phone." You had all the repercussions; you had to basically in that case, because of the user credential, have to kill the credential, right. So what we're hearing is, we want a security model that says, that we, that is smaller than the device itself. We want it so contextual, we want it contextual such that it's a user with a specific set of credentials getting access to a specific resource, with specific software on a specific device. We want that degree of granularity. And as it turns out that really is very much what NGSCB is capable of providing. It is capable of providing a very small thing that you have to trust, not the whole operating system or everything, but a very small thing that can represent, if that's how you want to set it up, all of those things.

So we're getting really positive feedback about NGSCB as being a platform upon which you could build on those things. And, so in that regard, it's been a been a real exciting year, of course there's been a lot of news about NGSCB, so that's been exciting as well.

Norlin: So Steven, if you could talk about Wave, and also kind of spell out the difference between TCG and NGSCB and what's going on there.

SKS: Sure. Wave's a company that's been sort of pursuing the security space for a long time. And I would disagree, we were one of the few people who really would liked to have had it happen 10 years ago.

But, having said that, we've evolved into a company today this building, the tools and services to help enable the deployment of really the first-generation stuff, which is just the TCG chips as part of the motherboards of the PC platforms. How do we make it really simple to manage and deploy a device that is capable of authentication? I think one of the things that's really important to understand in this is that today this platform, IBM has shipped about 4 million of them, it's probably a really, a good way to think of it is, it's almost a completely new category of devices. Which is that with a trusted device, I can do strong authentication. That's all that really TCG can do. There's a whole bunch of things that TCG helps to enable when I get to the next two parts, which is the LaGrande technology and NGSCB, which allows me to do things like bulk encryption and trusted execution of an application or some form of higher-level function than just, here's a secret; hide the secret; and then regurgitate the secret, under a certain policy.

I think there are some really strong misconceptions around what ultimately, you can do here. But I think one of the things that's very true is, this is very powerful technology for anybody who's making enterprise decisions today on security. It's very inexpensive, and it's going to give you basically hardware token-level authentication in every laptop device or PC device, and it can be used in a variety of different ways.

Wave as a company is building software to do today some very simple applications like file folder encryption and document signing, etc. which actually I think many of those will ultimately become functions and features within the operating system. The core of our business is around creating the tools to do management of the platform: how do I back it up; how do I recover the keys; how do I ensure that it's maintainable in an enterprise. So we like to believe that one of our goals is that when you lose your laptop, you can go somewhere, kill the previous one, and two hours later walk out of Fry's with another one that's been reconstructed with all the same service relationships. Right? That's how our cell phones work. That's how our set-top boxes work. Why can't our PCs work that way? And so we strive to make it really easy to use. And I think this morning Phil made some really good analogies.

But at the end of the day what you really want to do is, you want access control that works in a way where when you walk up to the door, and the door opens for you. Preferably, automatically. And when the guy walks up to the door that you don't like, you know, preferably he's electrocuted. Somewhere along those lines is what we as users want as access control. Completely seamless. Available. Easy-to-use. So that the CEO is willing to actually turn it on. Cuz WEP today is a board to turn on. You can just go down to Fry's and buy your linkless router and hook it up in your office and poof you can roam around without any wires. It's excellent. The fact that everybody else can roam around without any wires is a minor technical detail.

So we think that there's a very interesting market in authentication today. We'll certainly then work to take that same role going forward to help as it becomes clearer how things like NGSCB will be broadly used. What are the tools and infrastructure to help make that easy to manage and deploy, and work in those areas.

That's what we're doing.

Norlin: So I guess the first question that came to my mind when I was thinking about this was, "Why now?" I mean, I've made a couple public statements about identity being around the topic of moving from a network of anonymity to one of identity. And it's kind of, we're in this in between phase; we're trying to re-architect some essential things. It sounds to me like there's a certain business driver here, that is pushing this "Why now" versus five or ten years ago. That enterprises are now starting to demand this more. Is there thought on why the timeframe has moved...

SKS: I think we all fell into the vortex. I mean, the vortex was, "We can do this in software. User ID and password is good enough. Let's deploy the thing!" You know, and guess what, this is not anything new. The cable industry did this once. Right? They shipped a whole bunch of cable set-top boxes, remember that? And then we got HBO. There was no security in the box. They ran around little trucks putting filters on the wires coming in and out of the house. Firewalls. That didn't work so well, because the firewalls were pretty easy to defeat. You just went out there and took the filter out. Right?

So, you know, the cell phone industry did the same thing. All of our first handsets, you got cloned phone calls. Remember that? Then we got PIN numbers, that's like Internet security. Now it works. They put chips in the phones. And you just get connected. And it works.

So the PC industry is probably the hardest one, because there's no buyer. Who's the buyer? Who's the guy who owns all the PCs installed, the 900 million, or nine yeah 900 million PCs installed on the network. Right? Who owns them? Well, I don't own them. You don't own them. He doesn't own them.

SKS (?): Well close... [laughter] ...

SKS: But he doesn't own them all!

But not to the point where, not to the point where it makes economic sense to call everybody up and say let's replace them all, and let's give you ones with security in them, because our business model gets fixed. It doesn't work that way.

Norlin: So the driver, it's got to be a significant driver I would assume. Microsoft moving into the hardware space is kind of a different move for the corporation, right?

Biddle: So, it's not our hardware, right? We work with Intel. We work with AMD. We work with NVIDIA. We work with InFineon. We work with Atmel. And say, "Okay, this is what we'd like the software to do? Can you do this? Are your customers saying that they'll pay for this?" Because in the end you do need people to pay for stuff, right? We are in business.

I think that the reason that we took it so seriously was because in about '96, '97, '98, which is when I first started working on it, we were looking at the threat model and the security systems that were underneath it for our products for the Windows operating system. And, you know, I just sort of saw a Stairmaster that just never stopped. And what I wanted to be able to do was be able to say that there was an endgame. And the more we looked at it, the more we realized from an architectural perspective, the endgame that we needed was going to need some hardware assistance.

I mean, from an architectural perspective there's a number of different ways that you could pursue this. To be very clear we could've started over with a different operating system, and potentially gotten a much higher degree of base level security without additional hardware. I actually think like in the case of strong process isolation, we still would've wanted that. However, our customers are very clear about saying, it takes us between, I dunno, 10 and 14 years to adopt a new device driver model. It takes approximately that long to go from like Win 16 to Win32. So if you're going to attempt to do a completely new operating system, you're signing on for at least 10 years, if not 15 years of friction, independent of, you know, anything else, any other potential friction that you might have.

So we made a business decision that our approach would be to architect in a solution that would actually coexist with Windows, which is why we got there. But really the thinking was we were looking at customer pain, we were looking at the viruses, and the worms, and the exploits that were out there back then, and we had new business models the people were coming to us and saying they wanted to pursue. Right. So we were told in the beginning of the DVD days, we were told, "Hey, if you want the next version of high-definition video to be on your platform, it's going to need to be able to do the following things," and all of these things added up to "We don't know how to do that... without hardware." Actually, at first, it added up to "We had no idea how to do that." Right? And then about six months or a year into it, we realized "Okay, we do know how to it. But the only way we really know how to do it with the threat model that we had, which was no software attacks, was with adding hardware."

Norlin: So Palladium obviously, we have no deployments to speak of. We have deployments that Wave can talk about, the situation it's in today?

SKS: Yeah well, so today TCG has been shipped by IBM for a while. They have, they say, about four million platforms in the market. If it were only IBM, I think we'd all be sitting here watching, because IBM hasn't been the greatest company at introducing new technology. I mean, there's been a lot of great technologies they haven't adopted. In this case with Microsoft's support from last summer, and Intel, and AMD support, and the fact that the industry-standard group has really coalesced, and I think there's a good standard going forward. HP has now announced that their deploying platforms. Intel demonstrated a platform that they'll be shipping off their motherboards at IDF this year. So the market is underway. I think we'll see sporadic deployments through the course of this quarter. And, I think you'll really see traction start in the first half of next year.

Norlin: is there a vertical industry that adopts this first?

SKS: I think that it's clearly targeted at the enterprise today, but it's the power user within the enterprise, it's not the help desk.

Norlin: So it's not financial services or healthcare. It's a specific position within the enterprise?

Biddle: We're seeing both. (Both.) Yeah. We're seeing enterprises just generally, and we're seeing healthcare, financials - healthcare and financials as being probably the two top. And then sort of multinational like aerospace, you know the people who are building stuff, anybody who has complex vendor relationships, anybody who does a lot of corporate acquisitions and divestitures. We talked to one company that wants to be able to acquire a company and then turn them on, onto their intranet, onto their intranet just through one gateway and use all Internet protocols, and they want to be able to, so they want to sort of flip a switch and then gen policy out into that company, knowing that it's possible that they'll still be doing it that way ten years from now or ten days later they'll sell the company. And so they need to have this really rapid system of being able to say, "Well, now that you're in our company, here's how the policy works: here's what you have access to; here's what you don't have access to; here's how we do things." And they want to be able to do that in these sort of amorphous blobs. And that is very much a, you know, a point-to-point kind of security relationship you have to be able to build with each one of those devices, cuz otherwise it just doesn't scale. It won't work.

SKS: I think, very quickly here as well I think you are going to see, I think we are very close it, a tipping point where the IT purchasing manager realizes that if I buy a platform without a TPM chip in it today, the lifecycle of that platform is going to be significantly shorter than one I do. And the delta in cost is zero. Realistically, these parts are adding less than a few dollars of cost to the PC, so anyone who is buying a new PC should go specify a PC with a TPM on it today, at least at a minimum to have the basic forms of hardware-based authentication. So that if you're enterprise goes and decides to deploy an identity management system that leverages hardware-based authentication in the network in the next 24 months, then you're starting to shorten the lifecycle of the PC your buying today. I think we're just at the age of that. I think that will become much more pronounced in the course of the next 12 months.

Biddle: On the cost thing, I, fortunately all my wounds have healed recently, but I have gotten mauled pretty significantly for introducing cost into the PC. So, it is true that ultimately, the cost winds up being zero. Because generally speaking the cost that has been introduced into the PC historically over the past 20 years has wound up being zero, because the die size doubles and the cost remains the same or it goes down slightly. So there is some additional cost. And there certainly actually is profit opportunity there as well for small, middle manufacturers and for people right now, for example, in the TPM space there's opportunity. There's also opportunity for people looking at how to incorporate TPM cores into other logic. There's some logic that it probably will never end up in, right? For example we've been told that [??] are too touchy to ever want to put flash into. Period. The heart stops, so it may never end up there. It could wind up other places. And that's the beauty of the PC, right? One of the beauties of the whole business is that you can go from sort of zero to ubiquity in the shortest amount time of any electronics industry in the world. And that's certainly, what we're hoping will happen, because we see the network effect of having tens of millions or hundreds of millions of trusted devices, all of whom can cooperate with each other, and who can do set up and tear down, ad hoc, peer-to-peer trusted networks and do Web services and a bunch of other things. That's extremely cool, right? So the bigger it gets, it grows exponentially.

SKS: So let's use an example of a service, just to put some context to this. So one of the services that we like to articulate as an example, [??] two of them. One is, so today, I can go to the San Jose Airport, and I can belong to the WavePort 802.11 service. Right? I can use their user ID and password, and I can give it to you. It's really cool. Now you can logon to the WavePort with my user ID and password, totally virtual Web based service. Second problem is, is that using user ID and password, they know where I am. They happen to know that I am in San Jose. Why? Because I have logged on to their network. Or at least someone who knows my user ID and password as logged on to their network. With TCG implementation, I could have a very unique identity and have Steven Sprague logon WavePort, pay my bill and get downloaded into my device a credential that's not allowed to come off of my device, that says, I paid my August bill. So now, I had to have very strong unique authentication to get that, and I can ensure that the payment was properly collected from someone the network knows. And, the second thing that happens is that I handed out a credential, but basically all it does is attest that I paid my bill. Now that credential looks exactly the same as everybody else's credential on the WavePort network for the August bill. So now we have this totally anonymous authentication to the WavePort network. They have no knowledge who is on when. All they know is that today 13 paying members of their network logged on from San Jose. And so, you can use this technology in a way to provide very strong service, very seamless. And so now I can flip my laptop open in San Jose, and I don't have to read their disclosure; I don't have to type in my user ID and password; I don't have to remember my user ID and password. I have anonymous authentication into the WavePort network. And so there's some very simple things like that, that we can do that are very powerful and very easy then for the customer to use.

Norlin: It's one of the ironies of the technology. I remember after I went to WinHEC and saw the original demo, I wrote an article that said that one of the main uses of Palladium that was never talked about was that it could ensure that music piracy continues, because you could set up peer-to-peer networks that were secure, that nobody could look into. And that irony leads me to Corey. So, Corey we have a mic if you want to not scream.

So, the EFF, everybody familiar with the EFF? Yes, probably. Released a report, what? A week and a half, two weeks ago?

Corey: About that.

Norlin: That detailed their view on trusted computing. So...

Corey: Yeah, EFF. My colleague Seth Schoen is our staff technologist. And he wrote a very good, I think, detailed, and I think Peter would agree fair white paper describing what he sees as both the pros and the cons of trusted computing approaches, both those coming out of TCG, NGSCB, and some of the other sort of affiliated ones. And tried to also make sense of the some of the acronym soup that came out of it.

EFF is like, I think a lot of people, fairly conflicted about the notion of trusted computing. On the one hand, you'll never find a finer friend of crypto than Electronic Frontier Foundation. Indeed the crypto that you are all using in this room right now whenever you make a secure browser connection and so on, that crypto was legalized as a result of legal action that EFF took. We fought them on the Bernstein case. We fought them on the right of Americans to use crypto stronger than the NSA could break. And that's why you've got good secrecy in your computers. And so, when we look at features like curtaining, and secure IO, sealed storage and attestation, things that allow you to know what's happening in your computer, and allow you to know that you can be secure from eavesdroppers between you and the endpoint, we're delighted. I mean this is what we've always hoped for. This is why we fought that court case. And this is the absence of this, the absence of this kind of end-to-end crypto is why we run into problems. It's why all of you are sitting here running on a WiFi network sporadically that you can then sit and sniff passwords off of.

I was at a conference, a couple of weeks ago in San Diego where some folks from the Shmoo Group, the security consultancy in San Diego, have built a hacker bot. It's a little autonomous robot that finds open WiFi networks and close ones, breaks the closed ones, sniffs all the traffic on them, finds anything that looks like a password being sent in the clear, figures out who it belongs to, trundles up to their feet, and flashes on a screen on its lid their own password, which had been sent over the air. [laughter]

It's the most sarcastic robot ever built. That problem is damn near insolvable and the reason it's damn near insolvable is that we don't have anything in crypto and that causes us all kinds of other problems. That's why the New York Times and so on require us to generate passwords for a million contexts. There's no way we can remember good passwords for a million contexts and so we recycle passwords. We used bad passwords. The contexts change, we get into trouble.

TCPA, TCG, NGSCB, Palladium, all the various affiliated technologies, they fix a lot of this stuff. And it's great news. Where EFF runs into a problem with TCPA, with NGSCB, is with the remote attestation capability, because broadly speaking, remote attestation is the ability to secure a computer against its own user, against its owner. And we think that the power to innovate, that has characterized the IT industry, that has brought us to where we are today, that has put us in the hands of IT companies that are able to near guarantee us double the power at half the cost every 18 months, came out of the ability for any user to have absolute control over the computer that they've acquired, to tinker with it, to modify it, to change it. And that when you take away the ability to control your own computer, you open the door to anti- competitive behavior that has as its first victims not individuals, but enterprises. Let's remember that one of the biggest IT businesses we know was Ross Perot's company which was founded to figure out how to write [??] software that will lie to databases about what kind of client it is. To provide a false attestation, so that you can extract the data from proprietary storage into nonproprietary storage and enter them into a different vendor. So that you can change vendors even if the vendor that you signed up with doesn't want you to. And we can all imagine a scenario in which we have signed up with a vendor, who doesn't want us to change.

So today I use a Web browser. I use Mozilla. But I use it to communicate with a bank in Canada, that expects me to be using Explorer, which no longer exists for OS X, all support has been discontinued. It's not a problem. All I do is I change the user identity string, user agent string, and I make a false attestation to my bank; I login with Mozilla; I'm using good crypto; I'm not worried about being spoofed on the way, and I get to make a good decision and continue to use the browser that is competitive with Explorer. I can do interop. I can run Samba, and so can your enterprise. Right? The Linux servers that coexist peacefully alongside the Windows desktops, exist because there is a piece of software called Samba that's making a false attestation to every Windows client on the network about what kind of file sharing client it is. Moreover, you can use things like IM. I'm sure that the subject of interoperability in IM is very near your heart, we have all of us benefited to a certain extent from interop in IM. And I think we all have good reason to fear the day when there is no interop in IM, and when one organization controls it. Certainly, the FCC felt that would be a bad idea, until they lost their guts and chickened out this year.

We see things like forced downgrades. Now as a consumer none of us want forced downgrades. None of us want to know that today, the iTunes that we use has 10 features and tomorrow because of some private contract negotiation between Apple and the music industry, it has nine features, as recently happened when Apple forced a downgrade on all of its users.

But as customers who have acquired thousands and thousands of licenses we should have reason to be much more afraid. For example, there is a fairly high-profile lawsuit pending between Sony and Microsoft through their proxies, what do they call it, Inter, uh uh, content var... Peter?...

Biddle: InterTrust

Corey: Intertrust, thank you. Who assert that they both have a patent over the same technique for expressing rights expressions. If InterTrust wins that lawsuit, and Microsoft is ordered to withdraw NGSCB from the market, and you have made a significant investment in technology that uses NGSCB, you may find yourself with Microsoft being at the other end of a court order, ordering them to uninstall it from your computer. This is certainly not without precedent. We recently had a court order Replay TV to uninstall a feature its users had bought in good faith. That's a bad idea. That's a bad future for you.

And, so we proposed a solution. The solution is something called Owner Override. And it's something that takes advantage of one of the very clever and useful features of trusted computing, that would be secure I/O, the thing that allows you to distinguish with reasonably complete certainty that a key that has been pressed has been physically pressed by a user and not activated by a piece of malicious software and planted without the user's knowledge or permission. And when you press the owner override button what it does is it takes the stuff that is about to be sent as a secure attestation and it lets you rework it. And lets you tell the kind of beneficial lie that gives us Samba, that allows me to use my browser of choice with my bank, that allowed Ross Perot to make his billions, that allows the tradition that is the reason that we have an exemption in copyright for reverse engineering, the tradition of interoperability, and allows us to prevent the market failures that occur when we take interoperability away. It's a pretty good idea. But it loses us a couple things. It loses us digital rights management. For reasons that we can go into if we have time, EFF is not a big fan of digital rights management. And it the loses us the ability to detect game cheaters, and the ability for SETI@Home and [??]@Home and other worthy adventures in distributed computation, to verify that the packets that are being sent to them are indeed, the packets they sent out, without using computational inefficient things like redundancy. That said, we think that it's a good trade-off. Because when we make security decisions, we make trade-offs. And we think the failure mode of eliminating competition from the market by allowing engineering of market failures as a consequence of the remote attestation feature, is worse than the failure mode of SETI@Home not being to be able to reliably detect cheaters.

So that's EFF's position. It's somewhat nuanced, and mostly positive. And I hope you'll go and take a look at our paper at eff.org.

Norlin: So if I can kinda brutally summarize, the charge. The charge is that these kinds of systems, starting with the TCG chip and then running back on up into Palladium take control away from the owner of the computer. The solution is that the owner should be able to override the system and lie. So, I guess my first question is, is the charge correct, in your views.

Biddle: No, I don't think that the charge is correct. I do think that this technology is like most revolutionary technologies, you know, anything from airbags to the internal combustion engine, it would have been good for society to have really deep thinking around, is this something that we really want to happen. Right? Internal combustion engines will make it easier to rob banks. It's the reason Bonnie and Clyde were so successful, because security mechanisms of the time meant they could move quickly. But it also meant that your grandfather might get to the hospital faster. So it was a trade-off. And I think that examining any new disruptive technology with that context of saying, what do we gain / what do we lose? Do we lose anything? If we do, can we mitigate that? Can we make that go away? What we gain? And, how do we really maximize on the societal benefits of the gains is a very good debate.

And I do, I will say that I think that EFF's paper was fair. I think it's wrong. In a few key places, owner override being, you know, being the most obvious one. But I do think it is fundamentally, and I like Seth, I think he's an extremely smart guy. And, I actually like the EFF, I think they're smart guys. But my belief is that in fact, there's a lot of very fundamental things that are enabled by remote attestation that you don't get, that Corey hasn't talked about, and the EFF paper doesn't talk about, and I think that those are things that sort of fundamentally change a lot of what I see, or my interpretation of the concerns.

I do want to be even more blunt. The view of owner override from a deployment perspective, on a system that had owner override, I would have the functional ability to lie, to query in a way so that it was impossible for him to tell the difference between a lie and the truth. So I can do that in a peer-to-peer fashion, because then we're trying to set up a peer-to-peer network, and Corey's from some outside company that wants to get in my peer-to-peer network to find out if I'm stealing music on it, and Corey could lie to me or I could lie to Corey, and the system would make it impossible for the user, for anyone in the system to discern the difference. The problem with that, the real fundamental problem is, why in the world, would you ever trust an attestation, if you know that, flip a coin, they may or may not be lying? I'm all for an attestation that says "I'm not telling you anything."

Corey: First I'd like to point out that saying that there's more to remote attestation than EFF mentioned is not the same as saying remote attestation does not take away control of your computer. And you started by saying, "No, you're wrong, remote attestation doesn't take away control of your computer." But you failed to mention any ways in which remote attestation doesn't take away control of your computer. Now remote attestation has lots of usefulness, being able to lie where we have situations where we wouldn't imagine that the party on the other side would lie, like when I'm talking with my mom on the phone and helping her fix her computer, and I say I want to find out whether there's any [??] running on her computer, can I get an attestation from you. My mom isn't going to lie to me about the state of her computer. And there's a perfectly useful valid way in which remote attestation continues to be useful even if we have owner override. In fact, most of sort of beneficial cases remain, the ones that don't remain are things like being able to engage in certain kinds of cheater prevention activities.

Norlin: It sounds to me though, that you're talking about a relationship, a pre-existing trusted relationship, especially in example that you used. And I'm really intrigued by what Steven said before about using this technology in a way to actually insure anonymity. Which I'd actually never thought of. So I'm curious how we kind of reconcile those two points of view.

SKS: I guess I want to make one other comment, which is, if you wanted to strengthen the software attestations that exist today, you could. It's very easy. I mean, substantially strengthened, so that the average user couldn't with a few lines of code take them apart.

??: [background aside]

SKS: Well there's a reason why today the attestations exist. And there's also probably a reason why they haven't been strengthened beyond where they are, so that it makes possible certain characteristics or scenarios. There's a whole aspect to this which I think is driven certainly by market forces, and there's no question that the direction that this form of technology is going to take is the disinter mediation of the monopolies that are out there. It is not the reverse. This is the most powerful technology to enable anybody in this room to form a network. It doesn't exist today. Let's be really clear, what doesn't exist today. What doesn't exist today is the ability in a fraud free environment, or fraud free is way too strong, in an environment where I wouldn't have 100% fraud, okay? To deliver any virtual service. A virtual service means Amazon's not shipping it to me, they e-mailed it to me. So whether it's pictures or movies or access or authentication or banking or any other form that doesn't have a physical connection, somewhere that has other fraud protection, today the ability for the Internet to allow that to exist as a business model of any kind is zero. Because if it gets big enough on the radar screen, the fraud should be 100%. So we have a huge gap in the ability for there to be any form of a digital economy that has long-term success.

The second thing that happens is today, almost all of the monopoly networks that exist: cell phones, paging networks, set-top boxes, etc. are controlled by the fact that the guy owns the wires or the spectrum. And they've facilitated secure devices, in order to establish relationships. What this form of technology makes possible is the beginnings of establishing a network of services. And whether that's my photo collection and Grandma and my aunts, or it's HBO and 30 million subscribers, is completely transparent.

Digital rights management is a very interesting challenge. If I send photos, and this happened to me, bought my mother-in-law a brand-new laptop, loaded the photo collection on it, turned on the wallpaper feature, and we all had a really good laugh because one of the first 10 photos that came up on the screen was my five-year-old mooning the camera. Okay? Very cool. But if I put that up on a web site, I go to jail for child pornography. You send it to Grandma, everybody gets a good laugh. So yeah, I think there's a huge societal demand, for strong protection of that content not finding its way into inappropriate uses on the network. And so every one of these has both sides of the equation. And I think we have to look at, are the economic components in place to protect the users in the network, one, and two, is it user opt-in. At the end of the day, the user can turn it off. They don't have to use it. If I turn off the physical hardware to my device, it's not going to be available. And so the kinds of services that we're going to use, which are completely broad-based, the examples that you used I don't think are the best early examples of this technology. The best early examples are: here's the client application from my bank and here's my banking relationship, and I want those two things to touch each other. The rest of my system isn't involved at all. If anything it's a narrowing of the connection between the service provider and the application on the desktop. We don't want to broaden the picture anymore.

Norlin: Not to cut everything off, but I do want to leave us some time for questions, and something that occurs to me that I'd like to kind of sort of pose to Corey. We're talking about ownership of the computer. When I read the EFF report, the first thing they came to my mind was, well that doesn't it make sense to me, because I can't take a credit card and walk into a store and assert that I have a credit limit of $100,000. I don't have the ability to lie. Right? Because it's not my credit card solely; it's partially my credit card. And I wonder if we're not moving into some sort of, you know, the great thing about the Internet is that it's a great big network, and as this touches the network more and more and more, I wonder if my ownership of it becomes less and less and less. I mean, I wonder if there's not some fundamental change occurring, where I don't strictly own the computer that I own. Much in the same way that I don't really own the credit card that I own.

[unclear]

Corey: The rough consensus in running code is an interesting, useful to build technology but when it comes to changing some of the fundamentals that we rely on like free discourse, like the public side of the copyright bargain, like freedom of speech and so on, rough consensus in running code is a poor substitute for due process, changes in the law, and consent to govern. And if we're going to change the deal on copyright, so that a rights holder has the ability to control 100% of the context in the way that you use his copyrighted material afterwards, that decision shouldn't be made by technology companies. That decision should be made by Congress.

Biddle: I'll actually, so without talking about the specifics of changes to copyright law, I will absolutely fundamentally agree that the concept of existing laws, they're sort of a confluence DMCA, copyright law, rights management, trustworthy computing, there's a lack of parallelism between where society is and where laws are and the technology. So I think a fantastic place to be talking about what is right and what is wrong; what is fair use law; what is not; what is copyright; you know, what is the context of rights management when you're trying to use it to enforce something that is more stringent than copyright; how does the DMCA work there? There's a bunch of just sort of bugs in the system, and then there may be needs for fundamental just new legislation or something that says, okay so we've seen what the technology is capable of, and we need to have a society that reflects the general good of people to be able to live their lives happily, for businesses to make money, etc. etc. However, I do, that's for the US. I do want to also point out that what we think of as being copyright in the United States has nothing to do with necessarily what they think of copyright being in Israel or Russia or China. And so trying to say that you're going to stop a technology from growing in one region because you think it might have impacts, that have nothing, that may be even counter to what people even want in another region, is sort of cultural imperialism. Right? It's saying, well whatever we think the technology should work, is what the world should get for technology. Instead of the technology, and then you know, that can do a bunch of things, and society, each society decides. Well this sets of behaviors is illegal; this set a behaviors is not. We're going to enforce the laws here, because we think this is illegal here.

Corey: Well every country with electricity stable enough to provide anything like network access, is part of the same IP regime. They're [??] countries. Russia and China have no IP regime to speak of, and Israel is a signatory to [??]. Their copyright laws are substantially similar to our copyright law. My question is, if the only way as we're told that we can have a successful business by providing a virtual service, is by confiscating all of the public's rights and copyright, and expropriating the public of all the fair use rights, and first sale rights, and transcoding for assisted format rights, and all the other rights that we depend on, then why is it that we should endorse the notion of that business? And given that we've heard that story over and over again, starting with the piano roll, why shouldn't we just rely on new IP businesses springing up that don't require such mass confiscation of public rights?

SKS: But, I think that the consumer has done a great job of voting with their feet. I mean, there've been a whole range of different solutions through time, of different economic models that have been tried, have failed pretty miserably. And we've seen an accelerated view of that over the last three or four years in software unlocking technology, you're talking about DIVX before...

Corey: You know those are (?) technologies that people are getting sued and put in jail for.

SKS: Oh no...

Biddle: Not DIVX the old DIVX. ... That had the owner-DRM scheme that cratered.

Corey: Right.

SKS: But at the end of the day we also have learned that the cable industry has successfully found various subscription models and content viewing models that have been perfectly viable business. That yes, they had put certain scrambling technology in to put enough of a speed bump into copying that we didn't just all end up with every movie ever published by HBO on our VCR.

Corey: But in order to be viable do those businesses require serving notice on and confiscating the savings of everyone who ever bought a smartcard reader.

[silence]

Biddle: Can you hear me now?

Norlin: Let me break in and do an advertisement for Corey's panel tomorrow, which is "DRMs," so all of this will then lapse into the stuff he's talking about now. But, we have questions in the audience? If we don't have questions we'll continue, but we do have questions.

Q: I've got a really simple question. I hold here a generic token card, which I use with my TPM. This could be modified slightly with some tamper resistant RAM and a CPU and a cryptographic protocol could be used to access this over a USB port or something, and it would give me all of the benefits that you guys are claiming to offer. Why do I need Microsoft in the loop? Why can't, this is something I hold and have, if it's in my laptop, I no longer have it. I trust you to have it. So I no longer have two factor identification.

Biddle: Actually, so, we refer to that as N+1 factor authentication. And the specific term we use for what you just described is a super key. And we envision it as being something that you do carry around with you on your person. It does have the kind cryptographic properties you described. Unfortunately, because of Moore's Law, it's never going to as powerful, dynamic, flexible, etc. etc. as the PCs you are going to be able to interact with even 10 years from now. So what you need is, if you want to do something which is going to have the opportunity to produce access to secrets, and those secrets can be passwords or account information or your life's, all of your life's, you know, whatever, your life savings, I dunno. You want to use the device you just described to demand a remote attestation from the laptop to the device. So the laptop says, I have the following properties; I am capable of honoring the security context that you demand. At that point and at only that point do you then decide to trust this remote device, which happens to be sitting in front of you and is connected to you by a USB. At that point, you get the best of both worlds. You've got this device you carry around with you. Maybe it's the root for all of your secrets. Maybe it's got all of this context. It is your user token. It's a very powerful one. And because of remote attestation, it gives you the ability to walk up to any machine anywhere in the world that supports remote attestation, and point it at it and say, "Ate are you safe?" And without remote attestation, you could never do that.

??: And owner override doesn't change that.

Biddle: Correct...

[crosstalk]

SKS: And I would just add to it, that I think there are also people who would be very happy to have all that information bound up in their laptop, and stuck in their briefcase and carry it around with them. There's not any one solution here. The point is, is to begin the process of bringing strong authentication into the network, let's start there, and then move up the value chain towards trusted applications, bulk encryption, which is going to take us the next few years to get to. But today, the first need in the marketplace we all have is, User ID and password authentication to our e-mail over WiFi would be a really good start. If we could just turn that on...

[major static]

Norlin: Actually that kind, one of the things I really liked about Palladium when I first saw the architecture was that it seemed like it was solving the scalability problem that PKI inherently introduced to us.

Biddle: yep

Norlin: So there's my bias for Palladium.

Biddle: So one thing I sort of, to Corey's point earlier, which was talk about something where owner override could fundamentally be bad. One example is if I as a consumer want to get an attestation from a server that it's going to honor the privacy policy, and there's somebody at the keyboard at the server who's like, [chortling], "I'm lying. I'm not going to honor your privacy." I'm screwed.

Corey: But privacy policies aren't honored by computers, they're honored by people. The problem with privacy is not that computers are badly maintained; the problem with privacy is that people tell your secrets to each other. The people that I worry about my privacy of, are people who are in a position of power over me, right? The IRS. The IRS isn't going to take my DRM wrapper, my financials that expire in seven years when my document retention period expires, the IRS is going to demand of me that I put my data in their DRM wrapper, that I will have no control over, and that will be opaque to me. Because the only people that I need to be private from are the people who are already in a position of power with me, and people I don't have any market power over.

Biddle: So what about the situation where, so you don't see there being any circumstance under which I want to set up shop right now, tomorrow, on eBay as a mortgage broker. I'm going to auction off mortgages, and I'm required by federal law to get certain kinds of information. Do you think that we should be able to lie to each other in that transaction, or not?

Corey: I think that whether or not you're running an owner override, would not make me feel secure or insecure, would not change my feelings of security about providing this information as a stranger, because you can still read them. Right? And this is an incredibly compact, unlike the DRM scenario where you're talking about shipping around a 9GB blob off of DVD, this is 12 lines of ASCII. Right? It's my credit card number, my SIN, my Social Security number, and my address and phone number. You know, NGSCB is not going to protect that. Right? The thing that protects that would be possibly poking the eyes out of every one who I sent it to. But NGSCB ...

Biddle: Well no, that is, that's because, it can protect it from incidental and sort of institutionalized abuse, not from an individual having gained the information. But, it can say, for example, have a certificate authority that says, hey this company honors this privacy policy, and we're going to use remote attestation to actually make sure that that's actually, in fact true. You still, you're right you can't prevent one guy from looking at this screen and typing into this one.

Norlin: I'm going to try to squeeze two more questions in. ... more questions? ... Yes. By the way, we could debate this all day, I think, but...

Biddle: We've been debating it for a year in half.

Q: From the standpoint of ignorance, I'm interested in a little bit with your discussion of this notion of turning it on and turning it off. Very rarely do I hear people say more about the TCPA or the TCG, then it's the user's choice and the user does not have to turn it on. But at what point does the user get the choice to turn it on? Before he boots it? And does he turn it on for what scope and range of operability or not? In other words, what is this turn on, can I turn it on one day, and turn it off the next day, and turn it on the next? What is this turn on turn off thing that we hear so much about?

SKS: You can absolutely turn it on and turn it off one day, and turn it off the next. The objective here is very simple. Think of TCG as a place to put a credential, in essence a key. In reality it's signing that, etc. but for a sort of simplistic view of it, think of it as a vault in which I can put a credential. And so, I can have very granular control. I can select that I don't want that credential. I don't want that specific credential put in my machine. Where there are other credentials that I would very much so would like to have in my machine. In addition, once I have a credential in my machine, every user has the right to delete any credential in the machine. They can't necessarily move a credential from one machine to another, but they can absolutely delete the credential. So if I have an identity that's been established with my machine, let's say with my bank, and I want to give that machine to my kid, it's extremely simple for me to go in, look up at that specific key both through the existing software that's there or through very very low-level APIs, I can write my own application to look at the list of keys that is available on the machine, say "this key I don't want any more, make it go away." And there's nothing in the current specification of trusted computing that prevents you from selective deletion of any individual key.

Biddle: So there's, in NGSCB there's two layers of sort of abstraction there. There's at the hardware level, you can go into the bios, and there's this thing called locality, and you can actually turn on not only the chip itself but each feature. Right? So you can turn attestation off in the hardware, and when it is off in the hardware it cannot be turned on. So the next thing for NGSCB is, we're assuming that the model is opt-in. So the user has to go turn the hardware on in the first place and then all the primary features including attestation will be opt-in as well. And that can be both very crude, "I don't want to ever do attestation." And, it can also be very flexible and granular. So you can say I only want to do attestation for applications that I wrote. Right? Or what ever.

Q: I think you might have answered my question. I was a bit worried by your discussion, because it sounds like you've tightly coupled keys in the hardware, which I think is really good and can be real beneficial as a building block, with higher-level application services, attestation and other things. My question was how tightly coupled are you guys to delivering this stuff, because that's bad. But it sounds like you're not. Because I think that there's a lot of goodness here that we need to get out there right away. And what kind of applications manifest themselves on it, is a whole other discussion. So we have got to be careful not to mix this all into one big dialog.

SKS: So you're seeing a pretty broad layered approach here. Wave today in connection with a number of the chip vendors and platform vendors is providing a set of tools and utilities and software that I can use on the existing Windows 2000plus software applications, to use this hardware for a variety of different features and authentication, and IBM has built Linux implementations for it. Others will do what they want with that specific component and capability of hardware. And then Peter has built an operating system level on top of that, that enables a much broader and richer suite of applications, which is appropriate for the operating system.

Q: I understand there have been talks with Europeans, specifically the data protection community. What is the status of that in this technology with the privacy community in Europe?

Biddle: We've talked to the EU, we've pr'y been out there 10 times in the past year. So it's an ongoing dialog. I would say that I think it's a good healthy dialog. Nothing has come out of it. Right? There hasn't been, that I'm aware of, no proclamation... this is good, this is bad, anything like that.

Q: [major static]

Biddle: Yeah, there was an article 29 thing that was getting worked on, but I don't know what's happened to that, frankly. We went to a couple of hearings and it just, I guess, you know, presumably they're working on something.

SKS: So, I'll just add one piece to that. Wave built an implementation of our silicon and software for something called FINREAD. And, FINREAD is a European working group for the banking, healthcare, government, transportation industries for stronger identity. And realistically if you look at the FINREAD specifications and their policies and modules, they are dramatically stiffer than anything that's going on with NGSCB or TCG. So this is a programmable hardware security device, with a secure PIN entry, and secure display for communicating to the user, that's a controlled, monopoly controlled device by the bank. The bank owns the keys. This is the state of what the European Union is building, and it was designed to run as applications so that German banks would control theirs, French banks would controlled theirs, etc. And in a very interesting manner, actually, we ended up writing the FINREAD application as an application on our security system which removed one piece of power, and it took us a year and a half for us to get that approved by them - where we can actually run the French system and that German system simultaneously on one device. And so the user could task switch, in essence, between them. And if you look at the infrastructure of what's being built in the privacy models, that was hugely more draconian than anything that's been talked about here. Because it was controlled by a single entity. Which means that if I didn't like the German banking system, I'm done. I can't have a relationship. And so my only choice is to just take the device and throw it in the ocean. So there should be a path to enable in some ways, NGSCB as a much more flexible solution, where they should have all of the capabilities, secure display, secure I/O, secure credentials, to enable those kinds of relationships, but in a much more open manner.

Norlin: So, a quick wrap up. Thanks to Steven. Thanks to Peter. Thanks to Corey. And we are out of time.