digital id world 2004

"Trusted" Computing?
October 27, 2004

Dan Gillmor, Moderator
Geoffrey Strongin, AMD
Lark Allen, Wave Systems
Denise Howell, Reed Smith

Dan Gillmor: My name is Dan Gillmor. I'm from the San Jose Mercury News, and we're here to talk a bit today about Trusted Computing in the context of DigitalIDs. There's a lot of interesting developments in that area, and also a lot of questions about what it means. I recommend if you've not read it to look in a couple of places that for example on the Wikipedia they have a pretty good page about Trusted Computing. You can also go to Microsoft, Intel, AMD and read reams about it. There are many different takes on the thing. Microsoft has a new name for it, but it's still the same old thing.

Ross Anderson in Cambridge, England has done an FAQ on Trusted Computing that I also recommend people take a look at. [http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html] I think he fairly describes it in the opening of that, by saying that the definition of "security" in this context is controversial, machines built according to their specifications will be more trustworthy from software vendors and the content industry, but will be less trustworthy from the point of view of their owners. That's his take on it. It's a controversial take, as well.

We have three people here who know a lot about this and are going to give us some guidance on it. And, I'm hoping they will get into some areas, for example the intersection of Trusted Computing with the Digital ID World and what customers of this whole thing ought to be thinking about as they proceed. And, I do hope we'll get to the question of really what we mean by the word "trusted." And I know I have my own questions that are pretty serious about that. Who gets to make the decisions really is at the heart of it.

I'll introduce in order our speakers, actually we're going to go out of order in the way that they're sitting, because two of them have Power Points and Denise Howell does not, but she will, she's a lawyer and since lawyers run the world anyway she gets to be the clean up speaker here and tell us what we are going to do, because the lawyers will tell us what to do.

But we're going to start with Geoffrey Strongin who's with Platform Security Architecture at AMD, Advanced Micro Devices. He's a security architect, designer, with lots of patents and has quite a lot to say on this.

Next to him is Denise who's an attorney with Reed Smith, a major law firm that has over, what, a 1,000 lawyers now. I won't make the obligatory lawyer joke, I'm sorry. And I couldn't, because Denise is too nice. She is one of the people who is doing really path-breaking work in technology law and I recommend highly her weblog called Bags and Baggage, which you can find on Google easily. [http://bagandbaggage.org/]

And our second speaker is Lark Allen who's Executive Vice President at Wave Systems, which is one of the companies deeply into the whole Trusted Computing area.

So, why don't we start with Geoffrey.

Geoffrey Strongin: So I do want to talk a little bit about our involvement in Trusted Computing. I'll try to tie that very much to Digital Identity. However, these slides are really not customized for that purpose. They really kind of give a little bit of an overview and background. So let me launch quickly into those, because I think what's going to be most interesting is the dialogue here. And, I'll have a few remarks to say about Ross Anderson. [laughter]

So, first of all, I have a quick run through on some strategy slides of what AMD is doing in the area of Trusted Computing and then I'm going to tie that probably in my remarks here back to where this comes into why this is relevant to Digital Identity Management. And that's probably not going to be a big surprise for most of you, since security security security seems to be surrounding all of the exhibits and all of the presentations. And there's a clear recognition that with Identity and Identity Management, security has an important role to play.

So, a little bit about what we're doing. You know, we come from the realities of the history of the PC world where there's been very little intrinsic security built into platforms, towards an evolved PC architecture, an evolved platform, where security will be essentially baked into both the hardware elements and the surrounding software elements, and through that we'll get better properties than we can achieve through purely either a hardware approach, which lacks maybe sufficient context to do a good job, or a software approach, which without the underlying hardware remains vulnerable to a lot of attacks.

And so we've had some significant long term participation in trying to bring that sort of hybrid solution to the marketplace in cooperation with a variety of partners. And as you'll see in some of these slides, this is a big effort requiring participation really of the entire computing industry to fully realize it.

And there's a little bit about the AMD technology and where we're headed and maybe a code word we're now using publicly called Presidio to describe our security enhancements to our products. And let me just run forward here.

But exactly why are we doing this? Because I think really the essential issue here is that there are serious problems with computer security, That's not new news. Anybody who just picks up the newspaper or reads Dan's column will find that out very rapidly. But it does require an industry wide cooperation and collaboration to achieve the success. And we believe this frankly from an AMD perspective, we sell microprocessors. What exactly is our plight? We may see some change and some rapid acceleration as people go out and buy new hardware that has more secure characteristics. But at the ultimate bottom line really is honestly we approach this from our feeling of responsibility. We've been a participant in the success of the computer industry, and the computer industry in part has created this problem of security, and so we do have a responsibility. And that's at least part of where AMD comes from. It's a little bit altruistic. We may sell some more parts in the end, but we're not directly a security sales company and it's just incidental to our business that we're trying to make our products better.

I serve on the Trusted Computing Group's Board of Directors and as the Vice President of the Trusted Computing Group. And this is the standards body that has come into existence in the industry to focus on the merger of hardware and software building blocks working together to increase security platforms. And these technologies are, we've achieve in the Trusted Computing Group significant critical mass or I'll say this is where the action is happening in terms of the technology definition that involves both the hardware and software working together.

And TCG has the architectural vision from the nature of the companies that are involved. And I encourage you to go to trustedcomputinggroup.org and learn more about TCG. But I want to emphasis that this is not a one or two company led effort. The promoters of Trusted Computing Group include AMD and Intel; they include Microsoft and SUN; IBM and HP. So we have this broad breadth of companies that are involved as you can see clearly competitors but we're all interested in achieving the same ultimate goals. And I think we have a good internal structure. Those of you that are familiar with OASIS would find something similar if you looked at our internal structure. I'm not going to belabor that.

I'll finish here in this sort of slide and formal presentation point with a couple of things.

One is we're really trying to raise the bar. I'm going to rapidly go to the next slide, because again this is sort of the context for why we're the environment that we live in. But the scope of the effort is really quite daunting. And, so let me just rapidly run through these items. We're changing the processor. Okay? AMD is making microprocessor architectural changes to bring new capabilities to the processor that allow trusted Operating Systems to exist above us. Clearly that involves cooperation with OS vendors, and I would say vendors in plural to realize the benefits of those microprocessor architectural changes.

And I had talked earlier about, at least in the first slide I mentioned a technology called Presidio which is associated with that. But we've also had some interim steps that we've made with [NX-Bit] Enhanced Virus Protection that's actually already shipping and supported with Windows XP2.

But we're also making further changes to the platform above and beyond just the microprocessor itself. We're making changes to bring a new component to the platform, one called a Trusted Platform Module, a TPM component. And that's been, there's a lot of discussion, the specification for this component comes from the Trusted Computing Group. And over time that component will evolve, but this has been the focus of a great deal of attention. This is a support component. It brings with it some significant benefits, its new capabilities brought into the platform and also new responsibilities because this device comes with an embedded, if you will, keys.

And so that there is some, there's been a significant concern about the privacy aspects of this. And I would say that there's been a tremendous effort on the part of the TCG in defining the TPM module to focus on deploying this in a privacy sensitive, privacy friendly way. And I think we've validated that we've achieved that goal in interactions with the European Union's Internet Task Force of the Article 29 Working Party, a number of meetings with them over the course of the last year, Germany Data Protection Authorities, and so on. So we really think we've done our job to really say, "This can be deployed in a way that is privacy sensitive and privacy friendly." But there are clearly disputes in the industry about that, aspects of it.

Storage Sealing is a key capability. And we don't have time in this forum to explain that at length, but it's really essential, because prior to now PC's had no place to securely store data. And that's something Lark may want to talk a little bit more about.

Secure Initialization. There's always been chicken and egg problems when starting up secure environments. We've had to apply hardware to help solve that problem, and that's part of the overall architecture.

Lastly, we come to some things that are really critical in terms of Digital Identity Management, Secure Input. How many people are aware of the ease of which software can be installed and sneak under your system and steal your passwords and so on, otherwise snoop your input buffers. So the ability to have the hardware be resistant and to the hardware and Operating System combined to be resistant, to block those sorts of attacks is essential to providing any sort of integrity behind the User Authentication Process. And if that's tied into Web Services, we're right at the heart of what Trusted Computing can do for Digital Identity Management, which is provide that very firm, rock solid basis of User Identification.

Secure Output deals with the ability to protect content that's being displayed, and it's not just the Hollywood content, although that gets a lot of attention. It also includes things like maybe prescription drug records or the company financials, because these are things again which are potentially subject to spyware that can get into systems.

And lastly, one of the things that really distinguishes Trusted Computing from pure security enhancements is the ability to communicate reliable with a high level of resistance to attack, that you have certain capabilities and characteristics in your system and to express those to remote parties.

I have a, those of you that are familiar with the biscotti that we've been getting here, how many of you have gotten your fortune from the biscotti? Well, the little biscotti that the hotel is giving out is giving fortunes, I'm going to read the one that I got this afternoon, It says, "Momma says, 'Never trust a person who says, Trust me.'" Seemed a little germane. And in fact, intrying to have someone rely upon what's my computer's state at the other end of a wire, just saying, "Trust me." isn't good enough. We've got to have some real evidence that we can deliver, and lot of what Trusted Computing is about is delivering that evidence in a privacy sensitive way, so that you can rely upon the characteristics of computing environments you're interacting with on the other end of the wire. And whether they're in a federated identity environment, that means that you know the identify credentials were captured in an environment free from spyware, or any of those things, that's the sort of thing that we're talking about.

Thank you. And I probably ran over my time limit, but I appreciate it and will take some questions...

Dan Gillmor: We'll next hear from Lark. And I have a corollary to the "Don't trust anyone who says,'Trust me.'" when someone says, "Quite frankly," don't believe them.

Lark Allen: So, I'd like to tie Trusted Computing and what we're focused on to the core theme of what we've been talking about here at Digital ID World. I've participated over the last few years in a lot of the Liberty Alliance activities, the eAuthentication partnership things that are going on, 15 or 20 code named government projects on Identity, the CAP [Common Alerting Protocol] Program and others which are all focused on, in most cases, not only identity but an authentication of identities, but then what I do with that identity is I move into Web Services and so on.

So, in my prior career I spent a few decades at IBM and lived through essentially these three stages [Processing (PC), Connectivity (Internet), Access (WWW)] of watching the PC replace mainframes and the internet dismantle the protocols in the network and then basically all other assets be replaced by World Wide Net, so that what we have today clearly is changed all of our lives. It's the infrastructure of the Internet that allows virtually anyone to access information anywhere. And, we continue to see the progress in each one of these of more power, more bandwidth and more access.

And so what we have today in the Internet is an environment that has proven to be tremendous for things that are free. If I want to go shop somewhere and I don't need to have an identity, in fact I can make up any identity I want, and that's essentially the infrastructure here, I make up any email ID I want or ten of them or twenty of them and go out and do my thing. But as we move to the next generation of the Internet where we're trying to put the core business processes of a company out on the Internet and use its infrastructure. For instance, one of the applications that we market is a digital signature application. So if I'm an insurance company that wants to put electronic beneficiary change forms out on the Internet so that you can electronically sign and submit a beneficiary change form, I would submit this infrastructure isn't going to satisfactorily handle what you want. We just recently participated in a mock trial based on the eSign [] and what are all the things you could do to attack the identity of person who's really signed this, was it signed in a Trusted Platform environment, a whole set of other things that would come into question if my kids decided to change my beneficiary change form, or at least my smartest kid decided to change my beneficiary change form.

So, what we see happening is the inclusion essentially of Trust and Security into the platform and Identity in all the forms we've talked about in order to support Web Services. And as we move the value up to more and more valuable then the Identity becomes more valuable, strong Authentication becomes more important, Security becomes more important than all of these, and as opposed to the fact that we're trying to change the nature of the internet as it exists, I would typify that what we're really to do is build a parallel universe that uses the power of everything we have, doesn't replace the Internet as we know it and the environment as we know it and the openness as we know it, but adds a parallel universe where you can do real corporate business and sign contracts and conduct business in a secure manner, where you know that it's trusted. And that's the objective.

So, as we move forward if I have a chart that's basically Trust, from "I don't know if I can trust you" to "high", and Identity, from "Unknown" to "Strongly Authenticated," I would submit that as we move forward up in the value chain that the Web Services that were kind of defined in places like Liberty and others set up in this quadrant, and so you see clearly a drive that says we're trying to move to Certificate based Authentication of Identities and stronger mechanisms for multi-factor Authentication, but tied closely to that is the Trusted Computing area.

I may have the world's best credentials, stored in the most secure smartcard, but if I hand them to an untrusted platform to say, "Is this the person that is now holding the card?" I would submit that you still have an unknown result for that. This is a one times zero kind of equation. So, the notion is, I need to have more Trust in where I'm authenticating to go along with the fact that I'm providing strong credentials.

So the strong Authentication and Trusted Computing actually work hand-in-hand.

Trust itself, if you actually look at the word, what we've built is a number of security features and TCG is basically focused on standardizing very well known security features into a platform. That is things like a random number generator and an RSA key generator and digital signatures and hashing. We haven't invented anything, all we're really trying to do is make a standardized way, so if I want to store an Identity Credential I have a standard way to store it; if I want to back up keys and migrate keys and roam keys, I have a standard way to do that. Today those features are in almost every platform, but they aren't standardized.

And I would submit that what TCG is working on, is trying to standardize the building block, that is the essential building block around relationships. Relationship, this is like a one-handed applause. You can't have a one-handed applause. You need two hands. A relationship is between two entities. Between a user and their platform, between the platform and their [], an employee and their company, between me and a service provider. There are thousands of relationships that we have out on the Internet, some are Trusted. I don't need a Trusted relationship with the weather.com site. On the other hand if I sign up, give them my personal information, personalize it so they know me when I show up, then I have a personal relationship of sorts. I don't trust a lot, but it's more than if I were anonymous. So, we move up in that value chain.

So, what TCG has worked on is a standard building block, looks very much like a smartcard technology, it's called the Trusted Platform Module. As its base level it gives you hardware security or hardware storage integrated into your platform. Most of you who have ThinkPads most likely have a TPM sitting in your ThinkPad. Most of IBM ThinkPad models and other devices now have this as a standard part. HP ships it. Intel ships it. Fujitsu. So we're getting broad deployment. What this is for is, it's a secure place to store identities. So those of you who are deploying hardware tokens to store your certificates, this is a hardware storage place where you can put your certificates and it'll work just fine with all the backends that you are using to authenticate against.

It's a root of Trust for the platform. So, I know I have a place to start so that I can boot my platform into a known Trusted configuration that looks, and I can compare it to a known configuration, that it gives me trustworthiness of the configuration, generates keys and digital signatures, does some authentication. We've developed some new protocols that actually allow you to have anonymous protocols but can prove that you have a trustworthy platform without exposing your personal information.

So this is actually a privacy friendly technology, we would claim, as well as an opportunity as a building block to strengthen your identity applications.

So the TCG, is the important part is that it's an open standard. As Geoffrey talked about the group was designed as an open standards organization. It's expanded from the PC. We have technical working groups that are working to put this technology in virtually every platform. I'll give you another example, for the Mobile Group the identity of your telephone and your cell phone is called the IMEI number. And the problem we have with the IMEI number is that it cannot be secured very well. And so Vodaphone, who's a member of our group, says that on an annual basis they have a services based model where you get your phone for free if you sign up for the service for a year to two years. And so they have organized crime rings, steal the phones, change the identity and then sell the phone on the street. It costs Vodaphone €130m a year for changed identities of stolen phones. They want hardware security to protect the identity of the phone from being changed. It's a valid requirement that they have around the Identity space. The Mobile folks are also some of the most aggressive in the Federated Identity areas, because all of the services they want to include on the phone, so that you can log in once and have your Federated Identity provided from local services.

So IDC has projected over the next several years, this technology will be fairly wide spread. We think that at this point there's probably somewhere in the range of 12 to 15m devices out there that already have it in. There are more being added every day. There's some significant announcements. Two weeks ago IBM announced a new ThinkPad with an integrated biometric. So what you now have and Jamie Lewis [CEO and Research Chair, Burton Group] talked about this, what you now have integrated into the platform is a full, multi-factor, strong authentication system, where you read the biometrics with a scanner, the TPM stores the biometric minutiae, and does the authentication in a Trusted location to come up with "Yes" or "No," is this the person that should be accessing the system.

So you're starting to see these kinds of technologies integrated. And I would put forward that the parallel universe that we are trying to build has these three legs associated with it [Identity, Trusted Computing, Web Services] that includes Identity, Trust and then ultimately the Web Services that we're trying to build.

Thank you.

Dan Gillmor: Thank you. And we will now hear from Denise to tell us how exposed we are. This is the legal term.

Denise Howell: Thank you, Dan. And before I get into my notes here, I would like to take the opportunity to embarrass Dan and congratulate him on being the winner, just recently announced, of the 2004 World Technology Award for Media and Journalism. Which I think is just wonderful. [applause]

So I am the lawyer person on the panel. And, one of the things that they try and instill in us lawyer persons in law school and when we take the bar exam is something called "issue spotting," which stated differently is how can people sue each other. And, as far as Trusted Computing goes my issue spotting radar goes off in any number of directions that the folks involved in the process may or may not yet have thought about. A lot of these potential areas for legal disputes down the road arise from the relationship between the user and the computer, and the user and the content that's on that computer, both the software and any other content media that they might get from Hollywood, which is certainly a factor in the Trusted Computing landscape, if not the only factor. Of course, there are a lot of business enterprise security concerns as well that we've heard about from Lark and Geoffrey.

But on the user side one of the things that we have been seeing happening lately in the Federal Courts, as lately as just yesterday a decision coming down from the Sixth Circuit in the Lexmark case, is an encouraging validation of principles such as Fair Use that are definitely part of the copyright landscape, they are embodied in the Copyright Act, but it's difficult for them to get a lot of clarification and strength in the court system sometimes because they are very grey areas. There are a lot of murky factors that courts must apply, and really there's no hard and fast rule for whether something is going to be a Fair Use or not. Well, we've had a couple decisions come out lately. The Lexmark case yesterday, that I mentioned, involved a company called Static Control Components that was making compatible chips that helped printer cartridges interoperate with Lexmark printers that were designed to only operate with their own printers. This is much like the garage door case that you might have read about in the media a couple months back. In any event, the decision yesterday relied both on the Digital Millennium Copyright Act, or the DMCA, and the Fair Use Doctrine in basically validating that this chip could be manufactured, even though it copies some software from the Lexmark printer cartridge and also the printer itself. So there are some definite copyright arguments to be made, and Lexmark very fervently made them, but the Fair Use Doctrine came to the rescue of Static Control even though they are a commercial outfit and many times the Fair Use Doctrine traditionally is applied for non-commercial use, educational use, etc. Here they looked at the creative nature of the software itself and decided that we weren't really talking about something that was along the lines of a short Haiku poem, for example. One of the pieces of software was very very tiny that the court had to analyze. And although such things can be copyrightable in this case it found that it was not.

So we have some strong endorsements both from the Sixth Circuit and the Ninth Circuit in its Kelly vs Aribasoft case recently, also permitting a search engine to use thumbnail images in the results that it returns from the Web even though those images are copyrighted in commercial enterprise the Fair Use Doctrine applied and also coming up on the election here, the Northern District of California, one of the District Courts in the Federal system issued a decision in a case called Online Policy Group vs Diebold, the electronic voting company that had to do with a number of internal memoranda from Diebold that came out, that was sort of incriminating, intimating that perhaps diagnostic tests had not been accurately reported. The reliability of the electronic voting machines, these things were published on the Web. DMCA technic takedown notices were sent, and to cut to the chase, a small ISP was able to use a little used provision of the Copyright Act, actually the DMCA section 512(f), to assertively go out and say these are protected activities, not infringing activities that our users are involved in. And, the EFF, the Electronic Frontier Foundation led the charge on that and actually wound up getting awarded the attorney fees, damages and costs, which is one of the things this section has built into it. So, there are some strong protections for consumers coming out of the Federal Courts these days that might, potentially, be at odds with a hardware security system that is designed in part to help content providers lock down their material in such a way that the Fair Use Doctrine might not be exploitable to its full extent.

The other area that we have seen come out of the courts this year, P2P software has been ruled by the Ninth Circuit to be a legal creature, not something that in and of itself is a copyright violation. When we start talking about whether applications can run on a computing platform which is one of the measures of control that can be built into a Trusted Computing system, purely whether it's a violation of the law to prevent an application from running when in fact it is a legal application as far as the courts are concerned, or cutting it more finely, if the application can run can it run to its fullest extent, can users use the files but not with that application to prevent them from taking an MP3 and putting it into Kazaa, for example. So these are all issues that come to the fore.

Also, the elephant in the room that we haven't yet discussed here as far as Trusted Computing goes is of course Microsoft, with their NGSCB initiative that Next Generation of Trusted Computing, basically that stands for, which if that doesn't sound like a government black op project, I don't know what does.

But apart from its definite worthy goals of providing stability and reliability, privacy protection and business process protection to the Windows platform that might not exist there to its fullest potential today, whenever we bring Microsoft into play of course the words anti-trust are not too far behind as far as people simply investigating that issue.

And one of the motivations that Trusted Computing has, it has been posited is to enable the content industry to release their materials in a way that they feel can be trusted, and they're not going to worry about the file sharing that we've seen in the music industry spreading to the motion picture industry if they can operate on a Microsoft platform that precludes that. Well, if Microsoft declines to make their platform interoperate and work in a cross-platform manner you're going to find certain material that's only viewable on your Windows machine and that of course could raise some anti-trust issues.

So, we really have three areas: the programs that will run, the material that users want to use on their computers, and the tradeoff that we've seen in the Fair Use arena recently that come into play coupled also with the Digital Millennium Copyright Act which the courts are still grappling with and could very well present an issue here because of course what the DMCA prohibits is the sale of products that may be used to circumvent the technological measure that effectively controls access to a work protected by the copyright statue.

So, of course there have been various things developed to date that do circumvent copyright protections, there is no reason to believe that will stop once the Trusted Computing platform is more widely used and available on all of our machines, and of course once that's the case you'll find parties suing under the DMCA for these anti-circumvention measures that might be out there and available.

So, that pretty much raps up my spiel for the time being.

Dan Gillmor: Thanks Denise. Let me ask one really quick question and then we'll jump right to your questions. And I'll ask Denise to answer this. The cases you brought up are cases where people have used current more open technology to assert their own rights to Fair Useand other things. In a Trusted Computing environment, if it works, it's going to be very hard to break, to hack it in any serious way. And let's assume for the first time in history it becomes impossible to hack it in a serious way. Do you think courts are even remotely likely to say, "Well, you have to make it hackable in order that people can assert their Fair Use rights?"

Denise Howell: That does sound like an extreme position for a court to take. But really when you look at the development of the Fair Use law just in the three decisions that I mentioned that have come out this year, there certainly is a recognition that the Fair Use Doctrine remains an important part of the copyright landscape. But the Sixth Circuit decision that came out yesterday didn't have to get into the Fair Use section at all. It really was tangential to what it was trying to decide really whether these materials were copyrightable in the first place, nevertheless it went on for about two pages discussing the way the Fair Use Doctrine could be expanded to apply in this circumstance and I think that these machines do lock down content to the extent that it's not going to be possible to use things the way the courts say they can, that we might want to see that.

Geoffrey Strongin: I think that the issue of Trusted Computing and Digital Rights Management systems is fascinating. I mean it's a really interesting intersection of public policy and law and technology. One of the things that I always circle back to though is that if we really look at this the technology is agnostic. The policies that are being objected to are generally those of commercial enterprises in the choice of how they present their materials into the public. And I believe that those policies and the policy settings for DRM systems, are certainly subject to the sorts of intervention that you might say, but you wouldn't ban locks because people can use them to secure content, because they also have clear positive benefits. I was asked once whether or not, isn't this good because the RIAA is going to love it because they'll be able to prevent copying and isn't this bad because FileShare is going to be able to hide the information about what they're sharing. And the answer is yes and yes. So the technology ultimately of security technology when applied in digital rights is really a double edge sword. It cuts many different directions. And really the issues I think around the use of Fair Use rights doctrines and so on come back to the policies that employed by the companies distributing the content as opposed to ultimately the technology itself which is providing essentially a security technology.

Denise Howell: I agree with you that the technology is agnostic, but what we're going to see when this takes security down to the hardware level is a fundamental shift from what we have today, where the lock is unlocked and the lock will then be locked. And question how that changes the entire landscape of how you use those materials, and how companies build the things they make available.

Dan Gillmor: Why don't we get to some audience questions. Dave here has a mic.

Audience Member: My question for the panel is, so I'm sitting in the lobby out here with my laptop and I decide I want to do some online banking. So I enter my username and my password. How would the TPM protect me, I'm not worried about Digital Rights Management, I'm not worried about Hollywood, I'm worried about me. How would a TPM protect me, my bank account and my personal information from ending up on somebody else's machine in here, who then steals my identity and takes me ten years to get my credit straight, so that I can be an honest, God-fearing, member of society again.

Geoffrey Strongin: I'll take the first stab, and then Lark maybe why don't you follow.

Lark Allen: Sure.

Geoffrey Strongin: So, I think that first of all there's a lot of layers to the answer. There's communication layers, like just using IPsec, for example, that you might use today to protect the channel between you and your bank or SSL, but more the point is that your concern, what about the authorization tokens that I'm exchanging with my bank and are they visible or is there a piece of Spyware on your system that is observing your password as your typing it in and then later on remote-controlling your bank. And so, all of those are various different attack methods, and Trusted Computing brings a whole range of technologies to try and attack all of the vulnerabilities. So the idea is ultimately to address those attacks. The user interface, through strong user authentication, trusted input allows us to ensure that there's not a spyware watching you log in. If there's sensitive information on your display the trusted output would prevent that from being stolen by a snooping application. And then the environment you are running, the software that you are actually executing there, you'd like to have some confidence that in fact that has not been modified and altered, so you may want to partition the execution of that environment into an area that is really safe from viruses and that validates the integrity of that software object against what is the expected values for the metrics of that software. So all of those technologies lump together to be Trusted Computing capabilities, and ultimately you might want your bank to ping your system and say, and by the way is this the system that you have designated as the one that will interact with the bank, and not some other random system that was two seats down from you from where you were logging in. And that is also possible with the ability to authenticate the nature of the platform. And so all of those things are potentially part of the answer to the question that you ask, and they're all Trusted Computing technologies.

Lark Allen: The other thing that I would add is, we've seen some of the first applications around TPMs. One of them is basically a user wallet that allows you to store user IDs and passwords for at least the main sites that you frequently visit. They're encrypted and protected by the TPM, so you authenticate yourself to the TPM which opens up your wallet, so now when I go to a site it will automatically form fill and log me onto that site, and the problem is that I'm managing lots of passwords to lots of sites. It's kind of a poor man's client end version of Single Signon or Simplified Sign-on, if you will, but if I happen to have a virus with a keystroke logger on my system it would not see any of those passwords that were being entered, because they are not coming from the keyboard at that point. So there's several at least very tactical approaches that would help today.

Audience Member: Hi, thanks. You saw the statistic up there with 175m PCs by 2007 enabled with the TPM. I guess my question is, I could see from the Identity perspective being used to secure the identity of the manufacturer of the PC for example, using PCs as the example, of the individual with the example you just gave, ISPs and software, enterprises can [] and run. What do you think are going to be the biggest driving applications for use of the platform in the near, let's say next couple of years?

Lark Allen: What we're seeing right now is this whole area of strong Authentication. Essentially the TPM is the token, it's a valid. So, if you want to add multi-factor authentication into your network, here's a very strong token that has a very strong affinity to known entities being users. You can store user credentials there that we actually, the working group called the Trusted Network Connect group that's working on an open specification for when a device comes into a corporate network or a VPN, how can I authenticate the device and is it coming from a trusted location and how trustworthy is the configuration, that is does it have up to date anti-virus and firewall protection or is it a completely open public kiosk that they're trying to come in friom. So, Authentication is a big one. I think Data Protection, just the ability to encrypt your own files and securely communicate between UPN, set it up so that members in an engineering department and want to share documents can securely set up and have documents on a public Web server that are encrypted, and only those with the keys that they've distributed can see the data. So, those are some of the easy ones that don't require massive infrastructures to enable them. They're probably the first ones out of the box.

Geoffrey Strongin: I would add to the, I would agree with you that the first one is strong user Authentication which I think is the Achilles heel of Web Services. The more valuable the Web Services, the more important it is that we have strong user Authentication. But I think we are all, you know, how many people don't run a virus scanner, everybody is concerned about viruses, worms and trojans. And so the ability of Trusted Computing technology which is based in part on the TPM, but the TPM, from the list I put up, is an element in the overall tapestry of Trusted Computing. But the ability to have applications which essentially run in virus safe environments is clearly going to be an important driving factor. So that comes back to a question you said early, "What's Trust?" Trust is predictable behavior, at least in part. There's more elements to that, but you want your applications to behave the way they were designed to behave, that's predictable. They may fail if they're erratic applications to begin with. We can't solve the world with Trusted Computing, we're aren't going to make applications inherently better, but you don't have right now a lot of confidence sometimes in your own computing environment being what you really think it is. You know you loaded those applications, but there's that little hesitation that everybody knows, did something sneak through my virus filter, especially when your friends start telling you, your system is sending this virus email. And you don't know whether it's because somebody snuffed your email address or whether you really have a virus. And it's like the tools don't always help you.

Denise Howell: Following up on that point, one of the things I've seen raised on those lines by David Weinberger writing for Technology Review was especially whether it's really necessary to take it down to the hardware level to prevent viruses. I mean, isn't that assuming that most viruses are transmitted by someone who has direct access, inserting a disk for example, to a computer, as opposed to coming in over the network. And maybe you can elaborate on why the hardware level is really necessary.

Geoffrey Strongin: The simple answer for that is you have to go back and look at the architecture of Operating Systems to understand why hardware is really a part of this, and it's no mystery that if you look at, for example I'll use Microsoft Operating Systems as an example, but applies equally as well to Linux and other major OSes. There are literally millions of lines of code in those Operating Systems which run at the most privileged level of software. And all of those millions of lines of code have to be perfect for there to be no vulnerabilities at the software layer. So what hardware does is acknowledge the fact that in fact that software layer isn't perfect, and that we need to instantiate if you will some firewalls inside the Operating System. And, the hardware that currently we have in place in the industry doesn't provide those essentially partitions and barriers between pieces of the Operating System, that allow me to have some very small thousands of lines of code elements which can be re-examined and provably made to be secure that are then responsible for enforcing security properties on other pieces of the Operating System. And, in cooperation in trying to figure how do we fix this problem, given the fact that we don't want to throw out the existing Operating Systems and start from scratch and destroy the billions of dollars of ISV investment and so on is what leads us to have to resort to new hardware capabilities.

Dan Gillmor: You used the word, the phrase, "predictable behavior" and actually I'll go further on the thing that you just raised, which is Microsoft. Microsoft, there is predictable behavior, or at least there has been, of trying to get people to its products and no one else's. What if Microsoft decides to make it much more difficult using Trusted Computing, to interoperate with a Linux computer for example. and that things don't work quite right with StarOffice some day if you have a Microsoft Office document. What would prevent them from doing that in a pretty bullet proof way, other than Denise's anti-trust question. But since we don't enforce anti-trust any more, I'm not clear that would do anything.

Geoffrey Strongin: So, I think that's an excellent question, obviously I can't speak for Microsoft, and in this regard, you know they are a strategic partner of AMD. I would say that frankly there are market pressures that they are somewhat sensitive to. And that they will stimulate the sort of renewed focus on anti-trust enforcement if they were to take those sort of really predator attack practices through this technology. Their participation in Trusted Computing Group for developing open standards for this is an example I think of where, I think, they may, you know, go wherever they can go, and I can't say that they won't try to take full advantage of the technology to advantage themselves versus others, but at some level I think we come back to this as an issue of their behavior at a policy level, and if they're doing things that are illegal based on their market power there's a different course of recourse than saying the technology is bad, which has clear, where the technology also has clear benefits.

Dan Gillmor: But they could, if they wanted to, using this.

Geoffrey Strongin: I won't deny that the technology is powerful and when you bring cryptography into existence and use cryptography, it can make the reverse engineering attacks and so on impossible or infeasible in the given reasonable times and money.

Audience Member: One thing that I've read is that we're going to see a new generation of USB devices that will expect to find Trusted Platforms, perhaps, on the other end of it. Like, Microsoft platform, your platform. My question is, would that be another possible way that consumer choice would be shut down if they bought a USB device and it's expecting this. Aren't hardware vendors perhaps able to bring undue pressure to bear on that technology.

Lark Allen: So, one of the guiding design principles that we have published and codified within the TCG is that this is a user controlled technology. That is, it is shipped turned off. It is only turned on by the user. And so in this case, and we're actually working, we have a working group that's working on peripherals. And the goal is every peripheral and device will eventually have the opportunity to have trusted modes of operation. So that if I want to have secure communications between a USB device and the motherboard platform or a disk drive or others, I can have secure communication. But, all of those will be controlled by the user. They won't be forced, and you have no ability for someone external to turn it on, the user must be able to turn it on. In the case of enterprises, the enterprise can set the policy and say because of our VPNs and our internal policy it will always be on for these reasons.

Audience Member: Lark, I want to go a little further on that. So, Geoffrey's using analogies so Trusted Computing is enabling a set of locks on the doors, all the way up and down, right. So what you just, I interpreted as saying, well okay, the user has the keys. Who really has the keys? I mean, if the Trusted Computing division comes about, who has the keys? And then how does that then tie in to Digital Identity infrastructure?

Denise Howell: And are all the locks on all the time, or all off, is there any sort of grey area in there?

Lark Allen: So let me try and I'll let Geoffrey finish up, because he'll straighten out everything I screwed up. [laughter] The TPM is there and actually can generate an unlimited number of keys. Keys that can be owned and used by users, in fact you can have multiple users share the same platform and have unique keys with passwords that only they know that control functions within their view. If a Service Provider says, "In order for me to deliver my service to you, I require strong Authentication and I require the ability to protect this." You have the choice. If I want that service, then here's what I need to do to enable that and only that service on my platform. If I don't. I choose not to, I don't get the service. No difference today that if I don't get a settop box, I'm not going to get cable or satellite service. So, it will be driven by the user's choice of what services they'd like, but again no one can force something on your platform that you didn't choose in that environment.

Geoffrey Strongin: So I think that first of all you didn't say anything that was wrong, so you're right on. I think there's a couple of questions associated with that. The simple answer was yes. The user controls the services that they want to obtain. In the case of my Quicken banking relationship when I have electronic banking. Frankly, the bank and Quicken handle the key. I never see that key. There is some key that authorizes Quicken to do electronic funds transfer, but that's been arranged between the bank and my system. So in that case I'd say the bank owns that key, because it's the one that they've worked out with Quicken to authorize that transaction. So in most cases where there's a service relationship, the Service Provider is going to be the one that's figuring out, is going to be responsible for controlling that service and access to that service. Cable TV is the obvious case. You don't own the keys to your cable box that authorizes HBO, the Service Provider does.

But I think there's another sort of question there, which I think I want to make certain we get, TCG, I'll say AMD, across the board have decided, absolutely we are not a root authority and we do not own any core root keys for anything. All of the cases where there is any device authentication that was discussed, for example a USB trusted device talking to a platform, currently we're not there yet, but assume that we get to that point at some point. These are manufacturer supplier provided self-signed credentials. So there's no root authority. TCG is not a root. We're not going to be able to pre-authorize Vendor A and deny Vendor B. If Vendor A wants to say, "I want to play," we're going to have open standards for them to participate, join the market and assert that they have the capabilities through their own digital signing, an attestation say, "This is a Trusted Platform Module." For example, the TPM components come from a half a dozen or a dozen vendors over time. Right now I think there's a about a half a dozen vendors. There's no root authority that says that any one of those is permitted to do TPMs. It's all a complete self-certification regime...

Audience Member: [] NSA?

Geoffrey Strongin: There's no keys... frankly, there's no back doors here. You know, I'll put it this way, none of the companies that are involved, we're talking about here consumer grade security and we should make certain we discriminate between that. This is security that may cost two to three, five, maybe ten bucks more at a platform level. It's, college engineering labs are going to be able to break this stuff relatively easily. This is not stuff that really interests NSA in having backdoors in it, like EMBASSY encryption chips and Crypto AG stuff and all of the long history of backdoors that they might have tried to put into very secure military industrial security systems. These systems are so easily breakable from my perspective. Because it costs thousands of dollars to put a system together which is not easily breakable. But they just don't have an incentive.

AMD as a company are not putting backdoors in our product. I can't speak for other companies, but we're putting our reputation on the line when we say something like that. And we'd destroy our grand equity tremendously to backdoors for NSA or for any other security agency into the product, for what positive gain? It's just not a profit center for us. And so I think TCG as an organization has gone on record, no backdoors. I can certainly say AMD, I'll go on record here, we're not building backdoors. My job at AMD is really to try to make certain that I don't leave the backdoor open for everybody by making certain I haven't forgotten a security vulnerability.

Denise Howell: And if they're that easily breakable as Geoffrey says, Peter Biddle at Microsoft who runs the NGSCB Group wrote the Darknet paper [http://msl1.mit.edu/ESD10/docs/darknet5.pdf ] about how if something can be broken, it will be. And, it's just an inevitability. So you will definitely see the DMCA coming back into it there.

Dan Gillmor: I think with that we must draw to a close. Thank you for coming. Let's thank our panelists. [applause]