In October 2004, Seth Schoen from the EFF published comments on a still-unpublished draft by the TCG Best Practices Committee called "Design, Implementation, and Usage Principles". And although the TCG paper is not publicly available, the 23 pages of EFF comments are well worth reading.I just want to comment on two issues raised by the EFF:
- On pages 4-5, the comments correctly point out the problem that a principle according to which TCG should avoid the introduction of artificial barriers to interoperability is weak as there is no consensus about what an "artificial" barrier is. In general, I agree that most (if not all) "Best Practices" and legal approaches based on terms such as "artifical", "unduly", "reasonable", "unjustified" enable companies to hide their real preferences behind nice words (the U.S. Microsoft consent decree can also be criticized for this, see here under #4). However, what I miss a little bit in the EFF comments is the remark that, probably, no perfect solution to the remote attestation problem exist. From my understanding, all technical solutions that have been proposed so far have their own problems: they either limit the functionality of a TC platform, are too costly to implement, work only for a certain subset of computer software etc. As long as no perfect solution exists, the real challenge is to compare to pros and cons of all technical, legal and business practice solutions and to decide which, given that there is no perfect solution, is the second-best way to go. I haven't seen a lot of work done on this comparison.
- On pages 6-7, the EFF points out that remote attestation does eliminate the possibility of minority platform users and developers to achieve interoperability unilaterally, and that the incentives for majority platform developers to create such interoperability are very low. In their words: "Code identity verification shifts some of the costs of achieveing interoperability onto those who have the least incentive to bear them". This seems a pretty powerful argument, and I haven't found a good reponse to that.