> ----- Message from "Li, David" <LiD@cloudshield.com> on Thu, 8 Sep
> 2011 17:15:40 -0700 -----
>
> [Trusted-computing] A Question on EK
>  
> We are supposed to trust the CA that issues the EK certificate.  The
> chain of trust from this point on allows creation of other keys for
> signing and storage. But what if we are not sure if the CA for the
> EK is 100% trustable given that the TPM vendor is not totally
> trustable?  Is there any way to trust all the latter key creations?
>  
> The spec says users can create their own EK and use their own CA to
> certify it. Can this approach solve the above problem?

In my opinion, if you can't trust the TPM hardware (or software in a virtual TPM),
the game is over.

Some TPMs might allow external creation of an EK, but it's vendor specific.
Others may allow you to run a command and have the TPM generate an EK.
However, you don't gain any security by putting a very strong key into weak
hardware.

Similarly, it doesn't help to certify a weak key with a strong CA.