« October 26, 2004 | Main | October 28, 2004 »
October 27, 2004
DIDW 2004: Trusted Computing
I'm in Dan Gillmor's session on "trusted computing." Dan is a great choice to moderate this discussion. His blog is Dan Gillmor's eJournal. The panel is Geoffrey Strongin (AMD), Lark Allen (Wave Systems), and Denise Howell (Reed Smith). I met Lark when I was CIO for Utah. I've known Denise for a few years too. She does the excellent Bag and Baggage blog.
Strongin speaks first saying that addressing the problems of privacy, security, and third party trust requires changing the PC platform. He's on the Trusted Computing Group's board of directors. The point in his slide that's sure to cause contention says "Protecting data against unauthorized disclosure." This sounds good in theory, but in practice means that the PC has to become something less than a general purpose computing device. In the extreme, it becomes a player for content produced by others. The AMD architecture is being changed to incorporate trusted computing features including:
- Isolated execution space
- Enhanced virus protections
- Storage sealing
- Secure initialization
- Secure input and output
- Remote attestation
The latter is about delivering evidence to remote parties about the state of the computer. For example, attesting that security credentials were authenticated in an environment free from spyware.
Lark is the CEO of Wave. Lark spent several decades working for IBM and then struck out on his own. Last time I heard from Lark his company had a trusted keyboard. I don't remember the details. They've moved beyond that, it seems. Lark contends that Web services requires known identity and high trust. The former is done in a variety of methods. The latter, according to Lark comes through trusted computing. Trust is a relationship. Wave has built secure random number generators RSA key generators into a standard package (I think that's what the keyboard is about). The part is the trusted platform module (TPM) and is part of almost every Thinkpad and many HP laptops as well. The TPM is based on an open standard. The goal is to put a TPM into every platform including PDAs and cell phones.
Denise talks about "issue spotting," lawyer-speak for "how can people sue each other?" She speaks specifically about where trusted computing and the notion of fair use (from copyright law) might run afoul of each other. She cites a Lexmark case decided yesterday by the Sixth Circuit Court of Appeals as an example. Using trusted computing, Lexmark could have kept the generic ink cartridge manufacturer from interfacing with their printer--even though such an interface would be legal. Another example is the Ninth Circuit decision about P2P software. The question is "Can a third party prevent a user from doing things on their own computer that are legal?" Clearly most people would say no. So, the second question becomes "Can trusted computing cut with a fine enough knife to ensure that only truely illegal activates are prevented by third parties?"
Dan asks "Assume for the first time in history, it becomes impossible to hack into documents and applications. Are courts ready to say "you have to make things hackable to allow fair use?" Denise responds that even though that seems like an extreme position to take, the courts have been quite active in upholding fair use. Strongin says that this is a fascinating public policy issue and that the problem shouldn't be about what technology to build but should be decided in public policy.
lark talks a little more about the TPM and I understood it for the first time (even though I owned a Thinkpad with one for years, I never used it). Its like the Keychain on OS X, except that its in hardware so that keystroke logging spyware, etc. can't eavesdrop on the user actions (keyboard direct to the TPM and cryptographic functions happening on the chip). I use the keychain all the time. The note feature is handy for storing information I want to keep secure on my machine in addition to its standard use of storing usernames and passwords.
Dan asks "What keep Microsoft from using trusted computing to keep OpenOffice from reading Word documents or even OpenOffice itself from running on Windows?" Strongin says that this isn't a technology problem, but a public policy platform. Don't condemn the technology because it might be used for bad purposes. Of course, the irony of that statement is that this is precisely what the DMCA does and what INDUCE builds upon.
Strongin speaks to the issue of backdoors and says that these systems are easily breakable. That sounds reassuring except for the fact that that means that in reality all they'll do is inconvinience legitimate users rather than stopping the things they're trying to stop. Sad.
06:19 PM | Recommend This | Print This
My i-Name
While here, I've had a chance to learn about the Identity Commons, a move to create a third party identity service. Identity Commons is committed to individual ownership of identity information and relationships. They manage something called i-names, unique names that you can sign up for and keep for 50 years (one-time fee). I signed up for one this morning. I'm =windley. The equal sign is used before an i-name to identity it as an i-name. So far, about the only thing you can do with an i-name is to create a contact page. Here's mine. Eventually, the i-name will tie to all kinds of forms of contacting a person.
I-names are based on the XRI specification. XRI (Extensible Resource Identifier) is a "new URI-compatible scheme and resolution protocol for abstract identifiers÷identifiers that are location-, application-, and transport-independent, and thus can be shared across any number of domains and directories. The XRI 1.0 specifications were published in January 2004 by the OASIS XRI Technical Committee."
I've got no idea if this will ever go anywhere, but I think interesting and support it $25 worth.
11:46 AM | Recommend This | Print This
DIDW 2004: Art Coviello on RSA
Art Coviello gave the second talk this morning. I didn't bother to blog much of what he said because you can get most of it by reading the marketing speak on RSAs Web site. It was like listening to an infomercial. He even went so far as bringing an AOL exec on stage with him at one point in a little interview setting during one part of the talk to discuss "why AOL thinks RSA is great."
One thing that they talked about was AOL's plans to offer RSA security tokens to their members. If you're not familiar with these, there's a picture of one on the right. At first blush this seems like an interesting idea, until you take it to its extreme. Imagine a world where everyone you have a username and password with wants you to carry a fob to gain access to their service. You'll need a fob bag. This is not the answer unless its coupled with widely available federation.
09:46 AM | Recommend This | Print This
Digital ID World Photos
I have more photos from Digital ID World online if you're interested in seeing more of the conference.
09:33 AM | Recommend This | Print This
DIDW: Gordon Eubanks on Identity Management Strategies
Gordon Eubanks discusses siloed organizations in his morning keynote.
|
Gordon spoke to the issue of centralized management of identity in a decentralized infrastructure. What Gordon means by centralized management, it seems, is governance, oversight, and monitoring. In response to a question from the audience, he clarifies that he's not looking for go back to the days of the mainframe, but finding a way to be effective and efficient in a decentralized architecture.
There is tremendous savings in centralizing these services, but more important are issues like regulatory compliance. Policies and auditing have to be shown to be consistent with the processes you said you put in place.