Bruce Schneier has written an interesting and widely-circulated blog entry about TCG's Best Practices document. He is wondering why the document applies to hardware-based TC architectures only, but not to Trusted Network Connect (TNC) and TC architectures that are purely software-based. While I generally agree with his comments, here are three slight qualifications:
- TNC is not necessarily purely software-based. Under TNC, the use of TPMs offers some advantages, but is optional. Therefore, TNC does not require TPMs, but if they are available, it makes use of them.
- TCG's Best Practices Document does not explicitely state that it only applies to hardware-based architectures. However, reading the document and its repeated reference to TPMs, it is clear that TCG had only hardware-based architectures in mind when it created this document.
- The policy implications of purely software-based architectures seem very similar to the implications of hardware-based architectures (see my earlier question on whether virtualized TPMs pose any distinct policy problems). The only difference may be that the security provided by software-based architectures can be lower, therefore circumvention of the security measures becomes easier. As a consequence, the tension between such architectures and public policy may be a little bit smaller compared to hardware-based architectures. But I may be wrong on this and would be interested to hear what other think about this issue.
In the end, it comes down to what importance one thinks the Best Practices document has. Some people may think it is just a waste of paper. In a comment to his blog entry, Bruce disagrees:
"The point of the document is not to have teeth, but to be a technical resource for other documents with teeth. If the U.S.government were serious about computer security, for example, they could require all the computers they buy be compliant with this document."
I tend to agree with Bruce; and even if the U.S. government decides not to base any policy decisions on this document, other governments might (as you may know, the German government has been pretty active in TC-related matters, e.g.). So if Bruce's assessment is correct, then it would indeed be very bad to have a policy document for hardware-based TC only.