Hi,
I don't understand how a credential for an AIK can be provided. If I create
an AIK,Ki-Ki-1 and call Collate Identity with a CaPubKey from a key-pair
that is mine. I'm able to get the TPM credential. Now what prevent me to
create a new IdentityRequestBlob, using a personal key pair K-K-1 and send
it to a Certificat Authority ? The latter will verify my TPM credential and
send me back a credential for the key K. Now I decrypt this credential with
ActivateIdentity and the parameter Ki. The TPM will decrypt the message and
give me the credential because it will think that it is for Ki but it is for
K. And after that I can use K to sign false PCR values and another party
will think that I'm using a right AIK...
Is the signature of the public AIK by the endorsement key not missing in the
operation CollateIdentity ?
I don't understand why using CollateIdentityRequest and ActivateIdentity we
can be sure that the private key of the AIK is inside the TPM...
Thanks for looking
Chloé
------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:
Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
