I have only one problem with TPM or TPM-like technology: the desire to kill rooting will hamper development.
IMO, it should be technically possible to root devices but data encrypted by the original OS should be useless due to a changed encryption key. The same should be valid for keys enrolled through the original OS. This is probably only feasible if the "TPM" is a part of the main CPU which I also think is what is going to happen. The TPM enables organizations to *optionally* reject connecting devices not running "legitimate" OSes. That's OK; they already do that to some extent. Related: Microsoft's TPM-based VSD (Virtual Smart Card) scheme: http://www.microsoft.com/en-us/download/details.aspx?id=29076 Anders On 2012-12-18 05:10, Jeffrey Walton wrote: > http://www.networkworld.com/news/2012/121712-nist-tia-265172.html > > A mobile security technology proposal drafted by the National > Institute of Standards and Technology (NIST) is being soundly rejected > by one of the main trade groups representing a broad cross-section of > industry. > > NIST's "Guidelines on Hardware-Rooted Security in Mobile Devices," > issued in draft form in October and out for public comment until last > Friday, has drawn sharp criticism from the Telecommunications Industry > Association, which labeled NIST's proposal as "over-prescriptive" > because it "suggests that security in mobile devices can only be > realized using a specific architectural implementation of secure or > trustworthy environment, namely the Trusted Platform Module (TPM) > architecture specified by the Trusted Computing Group (TCG). > > TPM is "one way to implement security in mobile devices but it's isn't > the only way," said Brian Scarpelli, senior manager of government > affairs at Arlington, Va.-based TIA, adding that software-based > security can also be relied on. He indicated the TIA membership of > carriers and software vendors would prefer not to have to adhere to a > specific implementation to meet new federal guidelines for mobile > devices, and TIA is reaching out to NIST to voice its objections. TIA > industry membership includes carriers such as Verizon Communications > and Sprint Nextel, as well as Apple, Dell and Vare. > > The TPM specification from the TCG is a hardware-based > cryptographic-processing technology that can be used for several > security purposes, primarily device integrity. TPM is used in desktops > and servers but not mobile devices at present. The National Security > Agency, for example, which influences technology decisions made at the > U.S. Department of Defense, has been an enthusiastic proponent of TPM. > > TPM exists in much internal computer hardware today, though it appears > to suffer from lack of widespread deployment in part due to lack of > applications making it easy to deploy. > > NIST argues for TPM by saying that "many mobile devices are not > capable of providing strong security assurances to end users and > organizations. Current mobile devices lack the hardware-based roots of > trust that are increasingly built into laptops and other types of > hosts." > > NIST says it wants to "accelerate industry efforts" to use > hardware-rooted trust technologies, and specifically TPM, in mobile > devices such as smartphones and tablets that the federal government > would acquire. NIST criticizes today's mobile devices, saying they are > "vulnerable to 'jailbreaking' and 'rooting,' which provide device > owners with greater flexibility and control over the devices, but also > bypass important security features which may introduce > vulnerabilities." > > NIST asserts in its guidelines proposal that TPM and hardware-based > root of trust is the model the federal government would like to see > for use in assuring device integrity and verification, and that this > would also help the government in adopting a bring-your-own-device > approach where government employees could use their personally owned > devices for work as well. > ... > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to android-security-discuss@googlegroups.com. To unsubscribe from this group, send email to android-security-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
