tag:blogger.com,1999:blog-5912267511864569747.post4525635769330511463..comments2008-01-04T09:04:10.941+09:00ddsnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-5912267511864569747.post-54430174167714629182008-01-04T09:04:10.941+09:002008-01-04T09:04:10.941+09:00While I agree that the TPM chip has a lot of value and usefulness to end users, at the same time I see a germ of truth to RMS's critique. The TPM chip does in fact have a key whose secret value is not knowable to the user or controllable by him. It is called the Endorsement Key and comes installed more-or-less permanently in the chip. The chip will do certain things with the EK and follow certain rules in using it, and the user can't get the chip to break the rules.<BR/><BR/>There is also another key called the Storage Root Key which is generated dynamically at the time the user initializes and enables his TPM chip. That key, too, is never revealed to the user and is used only by the TPM chip according to its rules.<BR/><BR/>Having said that, there is no truth to the stories that Hollywood or some other institution will know or control these keys. Only the TPM chip knows them, and it acts as essentially an independent agent in terms of how it uses these keys. It is this independence which is so threatening to RMS and others, and either out of confusion or manipulation they present these claims that someone else controls your computer. This is false, but it is true that your computer can gain a degree of independence and autonomy which is impossible with classical computing models. I see this technology as having great potential for opening up new ways of handling information, but some others see only the threat of losing complete control over their computers.Hal Finneyhttp://www.blogger.com/profile/03982492169754485098noreply@blogger.comtag:blogger.com,1999:blog-5912267511864569747.post-21112577815199389392008-01-03T22:09:59.850+09:002008-01-03T22:09:59.850+09:00/me nods.<BR/><BR/>I'm not particularly security literate so please forgive my ignorance where possible.<BR/><BR/>In terms of e-mail, I don't think that normal e-mail in the wild (e.g. personal e-mail) would be an issue as much as inter-company e-mail that was set up on a mandated OS and set to require you to encrypt your e-mails and for the key to expire after a set time period. Maybe your boss tells you to do something criminal but the key provided to decrypt the message expires and the message is unreadable after a week or so.<BR/><BR/>Wouldn't another worry be TPMs preset to only allow booting of kernel signed by the manufacturer (e.g. only windows)?<BR/><BR/>I guess I never really read the RMS essay as a "TPMs are BAD!" essay but rather as a "Jeez, TPMs could be use to restrict booting of free operating systems, but if you can, you should because you would have control of the TPM" essay. Though the second part is not explicitly written and was my interpretation.Ian Lewishttp://www.blogger.com/profile/16235834286436870828noreply@blogger.com