Re: [OLPC-devel] Secure BIOS on the OLPC

[Drew Van Zandt]

Not to sound paranoid (though I suspect I am in this case) but what if rather than a key compromise it's a crypto compromise - someone finds a way to determine the public key from the private key, or finds a vulnerability in the cryptosystem?  Link of interest (old): http://pauillac.inria.fr/~doligez/ssl/  (40b session key only, but still... new things come around the bend pretty often.)

Now a group pools computing power (or quantum computing becomes reality), breaks three (or even two) keys, and you're vulnerable to automated product-wide devestation.

Holding down a button doesn't protect against phishing... but phishing doesn't get all machines overnight, and holding the button down again *may* be enough to let you load a good BIOS again.  (Or not, in which case the only reload vector I can think of would be JTAG or whatever the direct programming method is.)

Is there any compelling reason not to use both the buttonpress and signatures?  Belt, suspenders, as my dad used to say.

--DTVZ

_______________________________________________
Devel mailing list
Devel@laptop.org
http://mailman.laptop.org/mailman/listinfo/devel