[Trusted-computing] A Question on EK

Hi, We are supposed to trust the CA that issues the EK certificate. The chain of trust from this point on allows creation of other keys for signing and storage. But what if we are not sure if the CA for the EK is 100% trustable given that the TPM vendor is not totally trustable? Is there any way to trust all the latter key creations? The spec says users can create their own EK and use their own CA to certify it. Can this approach solve the above problem? Thanks. --- David Li Cloudshield Technologies SAIC