Hi Chloé, You can't sign arbitrary data using an AIK, only PCR values and non-migratable keys.
Since the certificate is supposed to be provided only for requests issued by real TPMs, when checking the signature made by a certified AIK, one can trust that it's a TPM that is handling it, and therefore, trust its behavior of not allowing TPM external data to be signed with such type of key. The verifier should be certain that the Privacy CA that issued the certificate is functioning as expected, only certifying AIKs that were generated and being handled by real TPMs. Thanks --- Rajiv Andrade Security Development IBM Linux Technology Center On Aug 15, 2010, at 7:12 PM, chloé Fouquet wrote: > Hi, > Once we have an AIK and its certificate, is it possible to sign everything we > want with this key? What prevents us to sign false values of PCRs with this > key ? > How a verifier can be convinced, after having received structures as the ones > provided by the methods CollateIdentityRequest and Quote, that the attesting > party has signed the right PCR values of its TPM ? > > Thanks for looking, > > Chloé > ------------------------------------------------------------------------------ > This SF.net email is sponsored by > > Make an app they can't live without > Enter the BlackBerry Developer Challenge > http://p.sf.net/sfu/RIM-dev2dev > _______________________________________________ > TrouSerS-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/trousers-users ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
