> ----- Message from "Li, David" <LiD(a)cloudshield.com> on Thu, 8 Sep
> 2011 17:15:40 -0700 -----
>
> [Trusted-computing] A Question on EK
>
> We are supposed to trust the CA that issues the EK certificate. The
> chain of trust from this point on allows creation of other keys for
> signing and storage. But what if we are not sure if the CA for the
> EK is 100% trustable given that the TPM vendor is not totally
> trustable? Is there any way to trust all the latter key creations?
>
> The spec says users can create their own EK and use their own CA to
> certify it. Can this approach solve the above problem?
In my opinion, if you can't trust the TPM hardware (or software in a
virtual TPM),
the game is over.
Some TPMs might allow external creation of an EK, but it's vendor
specific.
Others may allow you to run a command and have the TPM generate an EK.
However, you don't gain any security by putting a very strong key into
weak
hardware.
Similarly, it doesn't help to certify a weak key with a strong CA.