After some public and non-public hearings held last year in Germany, the German government, more particular the German ministries of the Interior and of Economics, has released some "comments" on TCG and NGSCB. While a German version has been floating around for some time, I have now found an English version over here. The document is rather interesting to read, as it includes both technology- and policy-related demands to TCG and NGSCB.Of course, you cannot expect an official Government position paper to go into every detail and call for extreme changes in the trusted computing architecture. Furthermore, some of the comments are of a rather general nature. Yet, others are interesting. The paper covers both TCG and NGSCB, although the NGSCB section is much shorter. As the exact future of NGSCB is currently unclear , I will focus on the comments the German government makes on TCG:
- 3.1: the demand for full migrability of all cryptographic keys which are needed to use software, data and online services (does this apply to TCG's non-migratable keys as well?)
- 3.5: the demand for on-chip generation of all non-exportable keys (such as the endorsement key). This feature is now offered, to some extent, in TCG 1.2.
- 4.1: the demand for a hardware-based deactiviation feature.
- 5.4: the call for technical or organizational solutions to prevent the linking of AIKs by a certification authority.
- 5.5-5.6: the call for competition between different certification authorities under government supervision due to data protection laws.
- 5.7: the call for zero-knowledge-based certification processes (which is now also offered, to some extent, in TCG 1.2).
- 6.1: the call for an exemption of non-commercial open source projects from TCG licensing fees (!).
- 6.2: the call for an open-source-style license for the TSS.
- 6.4: thoughts about creating a technology pool that would license all the necessary patents that are needed in order to build software upon TCG (an idea that was first proposed by Andreas Neumann).
- 7.1: the call for a free membership category in TCG for non-commercial projects.
- 8.1, 8.2: the warning that trusted computing should not be used to create market entry barriers or reinforce market-dominating positions in the IT sector. (Of course, this is a very general statement. Basically, it is aimed at the owner override discussions. And although some had demanded this in the discussions, for reasons I have described elsewhere, I think it's good that the paper does not endorse any solution to this problem, in particular not the owner override solution.)
- 8.3: the call for an arbitration council to resolve potential disputes.
Other comments are somewhat fuzzy:
- 3.2: "If DRM solutions are developed [on top of TCG], such solutions must consider the user's right to copy data and programs for private purposes..." Well, that is a nice statement, but I doubt whether the authors have checked whether that's in compliance with the current German copyright law. At least for content but computer software, the statute allows content providers to prevent users from copying content by using technological protection measures (this is, to some extent, similar to the DMCA in the U.S.). Therefore, at least under most conditions, there is no "user's right to copy data" under the existing copyright act. (Don't get me wrong: I am not saying that I like this situation, I am just describing it).
In conclusion, in most parts, the document does not raise any totally new issues or proposes any radically new approaches. However, some aspects are interesting nevertheless and, at least, it's the first official rather in-depth statement of a government on TCG and NGSCB.