Intel to include DRM in new Pentium 4 series processors

[Brian Gladman]

From: "Matthew Astley" <lists-ukcrypto@fruitcake.demon.co.uk>
To: <ukcrypto@chiark.greenend.org.uk>
Sent: Friday, September 13, 2002 10:43 AM
Subject: Re: Intel to include DRM in new Pentium 4 series processors


> On Thu, Sep 12, 2002 at 09:51:44PM +0800, Brian Gladman wrote:
> > From: "Nicholas Bohm" <nbohm@ernest.net>
> > > At 19:40 12/09/2002 +0800, Brian Gladman wrote:
>
> > > >It is true that a company can take GPL'd software and provide it
> > > >in a form that allows the user to say that it is _this_
> > > >particular version of the software that they want to run. The
> > > >company providing this software has to comply with the GPL
> > > >(assuming that this holds up legally) and this means that anyone
> > > >else can compile and sign this software and a PC owner can choose
> > > >to use this alternative.
>
> This is the nub .. erm, crux of your earlier mail, I believe: that you
> personally think it is very important that
>
>   Joe Public [Limited Company] can sign a binary, and
>   Colin Customer can load the appropriate key and run the binary.
>
> Of course Joe PLC has to be able to sign code. The whole project would
> sink like a stone otherwise.
>
> So are we back to key management again? Familiar ground. 8-)

Yes, this is the achilles heel.  But you will be able to do your own key
management on a TCPA machine and this will be sufficient to allow you to
manage the machine metrics that you need as the machine owner.

If Nicholas and I want to use cryptographic software with TCPA key
protection, we can each self certify our keys and exchange them using
whatever means we choose.  Of course Walt Disney won't accept keys certified
in this way but since both Nicholas and I are sceptical about third party
CAs we will be a lot happier with this approach for the TCPA 'privacy CA'.

> Does the key have to be signed/issued by a CA? Or can you generate
> your own and get it signed by a friend, a la PGP?

You can use a key signed by anyone.  TCPA takes the view that it is up to
the PC owner (not necessarily the user) to decide who (and what) they wish
to trust.

[snip]
> For the record I note that Microsoft's current MUAs use the CA route.
> PKCS#foo, is it? This system has always seemed rather feudal to me.
>
> > > >They can do this themselves if they choose or they can take the
> > > >software from any Free Software/Open Source distributor that
> > > >wishes to supply TCPA signed OS or applications software.
>
> The distributor, being an instance of Joe Public, appears to be
> irrelevant at this point.
>
> There's another case here. Is Colin Customer allowed to self-sign an
> old copy of Office 97, in order to make that run on his new machine?
> Can this be controlled independently of his ability to sign code for
> which he has source?
>
> I can't see that there is any benefit to Microsoft in preventing this.
> Old Microsoft software can just be "other software". No big deal, even
> if it's pirated.
>
> > > This seems to imply that the owner of a TCPA machine can use it to
> > > verify any signatures he wants (i.e. import into TCPA any public
> > > keys he trusts) and will not be dependent on having keys signed by
> > > parties approved by the TCPA consortium or anyone else.
> > >
> > > Is this in fact a feature of TCPA?
> >
> > Yes, I believe this to be the case.
>
> This is where I have to pick flies, sorry. It isn't the case now,
> because the system doesn't exist (in public) yet.

TCPA will never exist in a physical sense since it is only ever going to be
a paper specification.  My assumption was that Nicholas was asking the
question in the context of a TCPA compliant machine (and given the current
state of the TCPA specification).

[snip]
> When the user clicks the "Yes I trust this software vendor" button,
> does the hardware whip out its internal signing key and sign on the
> user's behalf?
>
> Based on this I don't see how anyone can promise that the hardware
> owner will _always_ be able to load any key he wishes.

Of course not - in a trivial case the secure store may be full.  But in
priciple the PC owner has full control over TCPA key management features.

However, once an owner allows a remote agent to 'rent' a secure box on their
machine, they won't necessarily know what is goes on inside this box AND
they won't necessarily know what their machine is doing when it is running
software designed to run in association with this box.

This seems to me to be an incredibly stupid thing to allow on a machine that
any owner wants to continue to trust.  I take the view that as soon as my
machine runs _any_ software for which I do not know the functionality, I
have then lost any ability to trust what my machine does from this point on
(at least on current machines). And for me this means that TCPA DRM features
may allow a remote agent to place more trust in a machice but they do so at
the expense of the ability of the owner's trust in it.

> If the special case is removed, for example by no longer trusting keys
> certified by the local hardware, then the machine turns into a TV.
> Read only.
>
> Whether to allow local code signing is just one bit, and it can be
> stored in OTP ROM or flash, in the CPU. It's all just software, and
> the software controls the trust. That's the whole point isn't it?
>
> This isn't such a disaster though. If I want to run my own programs,
> after the self-sign is disabled, then I can just buy a licence for my
> compiler.

As Ross has pointed out (before he got sidetracked on the GPL) whether or
not it is a disaster depends on its effect on the market.

   Brian