Stanford Center for Internet and Society

Some readers may remember that we used to have a big comment spam problem at CIS blogs (see here and, more generally, here). Now that this problem has been fixed by a workable solution for several months, we are increasingly getting a new kind of spam: trackback spamming. As long as no workable solution to trackback spamming is installed on the server on which the CIS blogs are running, the trackback functionality will remain turned off. Sorry about that.

On March 28, 2005, I will give a talk on the legal and policy implications of trusted computing at the Center for Internet and Society at Stanford Law School. More information can be found here.

For the German readers: my doctoral dissertation on DRM, which was published in 2002, has been out of print for some time. But now the publisher has agreed that I can publish the original PDF file on my homepage. So here it is (544 pages, 3.37 MB, written in German).

In October 2004, Seth Schoen from the EFF published comments on a still-unpublished draft by the TCG Best Practices Committee called "Design, Implementation, and Usage Principles". And although the TCG paper is not publicly available, the 23 pages of EFF comments are well worth reading.I just want to comment on two issues raised by the EFF:

• On pages 4-5, the comments correctly point out the problem that a principle according to which TCG should avoid the introduction of artificial barriers to interoperability is weak as there is no consensus about what an "artificial" barrier is. In general, I agree that most (if not all) "Best Practices" and legal approaches based on terms such as "artifical", "unduly", "reasonable", "unjustified" enable companies to hide their real preferences behind nice words (the U.S. Microsoft consent decree can also be criticized for this, see here under #4). However, what I miss a little bit in the EFF comments is the remark that, probably, no perfect solution to the remote attestation problem exist. From my understanding, all technical solutions that have been proposed so far have their own problems: they either limit the functionality of a TC platform, are too costly to implement, work only for a certain subset of computer software etc. As long as no perfect solution exists, the real challenge is to compare to pros and cons of all technical, legal and business practice solutions and to decide which, given that there is no perfect solution, is the second-best way to go. I haven't seen a lot of work done on this comparison.
  

Ahmad-Reza Sadeghi and Christian Stüble have recently published a
paper that builds, in some regards, upon an earlier paper by Klaus Kursawe and Christian Stüble. In this new paper, the authors want to achieve something similar as Vivek Haldar et. al. in their paper on semantic remote attestation: enabling remote attestation without revealing the detailed system configuration to the remote challenger.However, the solutions Ahmad-Reza Sadeghi and Christian Stüble offer differ from the semantic remote attestation proposal: they propose various "property-based" attestation mechanisms which translate demanded properties into concrete platform configurations and vice versa. To achieve this goal, they propose to use trusted third parties, certificates, group signatures, zero-knowledge proofs and commitments in various hardware- or software-based combinations. (They also update the earlier proposal by Klaus Kursawe and Christian Stüble on page 8.) While this is complex stuff, it still seems that the property-based remote attestation proposal can be implemented more easily and for a wider scale of applications than the semantic remote attestation proposal.

So I am slowly catching up with the TC debate (more to come soon). Last May, Vivek Haldar gave a very interesting presentation at the 3rd USENIX Virtual Machine Research & Technology Symposium. In the related paper, he and his co-authors propose an approach which they call "semantic remote attestation". The high-level idea is to have a remote attestation mechanism that is not based on the identity of a particular software program, but on its behavior. In the end, the goal of remote attestation is (or should) not be to know what particular software program is running on a remote platform, but whether the program behaves in malicious ways or not. In order to separate program behavior attestation from program identity attestation, the authors introduce a trusted virtual machine that can attest various properties of a local software program to a remote challenger without necessarily revealing the identity of the software program.

Ernie Brickell, Jan Camenisch & Liqun Chen, Direct Anonymous Attestation, in: Atluri, Pfitzmann & McDaniel (eds.): Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, Washingtion, October 25-29, 2004, pp. 132-145.

Dan Boneh & Hovav Shacham, Group Signatures with Verifier-Local Revocation, in: Atluri, Pfitzmann & McDaniel (eds.): Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, Washingtion, October 25-29, 2004, pp. 168-177.

David Boneh, Xavier Boyen & Hovav Shacham, Short Group Signatures, in: Franklin (2004), Crypto 2004, Lecture Notes in Computer Science 3153, Springer 2004, pp. 41-55.

John Marchesini, Sean Smith et al., Open-Source Applications of TCPA Hardware. 20th Annual Computer Security Applications Conference, December 2004.