Hi Anders, Thanks for your reply.
As you say TPMs may be used in a bad way. It is really up to
the "market" to decide what to use TPMs for. This includes us as well :)
I completely agree with you here. Especially since the TPM-enablied technologies haven't been widely implemented yet into operating systems and applications. How exactly they will/should be implemented is unclear. For example, the TPM functionality should not be accessible by any user application. Also, one widely-circulated issue is tat each TPM has an ID, which in theory can be used to disallow privacy on the web. However, if the implementation does not allow the ID to leave the host platform, then this wouldn't be an issue. When I read about TPM technologies and the TCPA online, it sometimes sadly reminds me of the Salem witch hunt... If platform attestations will reach TLS or not is of course an interesting
topic and at this stage we can just guess.
It would be interesting to hear some arguments against this happening. I personally don't have any. The reason why I'm a bit
skeptical is really due to the deployment state of TLS client-auth compared to various "plugin" methods. The latter has become a necessity due to the browser vendors' neglectance of a signature solution, which has forced the development of standalone crypto support (e.g. java) rather than using the native browser and OS crypto. These solutions are incompatible with the native TLS client-auth.
What are the "plugin" authentication methods you refer to, are they also certificate-based? Also what do you mean by "a signature solution" - do you mean that browsers do not have support for digital signature incorporated in them? I though that Firefox does - isn't this NSS funcitonality exported to other Firefox modules through the PSM or other XPCOM interfaces? Regards, Peter _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
