Hi Guys, Pardon me for interfering in the conversation but I'm pretty sure that you in a not too distant future will indeed be able to sign PCR values with the TPM's private key without any AIK bootstrapping.
The rationale for crippling EK isn't for real, privacy does not depend on if a key is limited to encryption or if the identity information can be cryptographically bound to a platform or not. The latter is only of importance in the case there some kind of legal or business issue associated with a key which is entirely different to privacy. So why will TPMs change? Because the TPM concept will be challenged by schemes having built-in signing EKs, feature huge memory space (phones have gigabytes of flash these days ), and is supported by air-tight provisioning methods not only for keys but for certificates and attributes as well. Hardware: http://mbed.org Whitepaper: http://webpki.org/papers/keygen2/secure-key-store.pdf Air-tight provisioning core facility: http://webpki.org/papers/keygen2/session-key-establishment--security-element-2-server.pdf Note: this scheme does not make Privacy CAs redundant, they just eliminate AIKs for the numerous of the use-cases where it is actually a *feature* that your platform is identified which includes VPNs and IMHO also consumer-banking. Anders ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
