Re: A _good_ and valid use for TPM

[Alex Besogonov]

On Sat, Feb 21, 2009 at 3:51 PM, Robert Millan <address@hidden> wrote:
> I don't agree with this analogy.  Unlike cryptography, TPMs have been designed
> from the ground up to serve an evil purpose.  They *could* have designed
> them with good intent, for example either of these could apply:
>  - Buyer gets a printed copy of the TPM's private key when they buy a board.
Private part of the endorsement key _never_ leaves the device (if
manufacturer uses the recommended TPM_CreateEndorsementKeyPair
method). Even device manufacturer doesn't know it. Public key is then
signed by manufacturer's certificate. This ensures that the private
key can't be compromised. Besides, you can _disable_ endorsement key
(TPM_DisablePubekRead) to protect your privacy.

TPM also has a notion of "ownership", and it supports ownership change
(which requires physical presence of operator).

>  - An override button that's physically accessible from the chip can be
>    used to disable "hostile mode" and make the TPM sign everything.  From
>    that point physical access can be managed with traditional methods (e.g.
>    locks).
That's not a very good idea.