Re: [Trusted-computing] A Question on EK

Friday, 9 September 2011

...
 ----- Message from "Li, David" <LiD(a)cloudshield.com&gt;
on Thu, 8 Sep 
 2011 17:15:40 -0700 -----

 [Trusted-computing] A Question on EK

 We are supposed to trust the CA that issues the EK certificate.  The
 chain of trust from this point on allows creation of other keys for 
 signing and storage. But what if we are not sure if the CA for the 
 EK is 100% trustable given that the TPM vendor is not totally 
 trustable?  Is there any way to trust all the latter key creations? 

 The spec says users can create their own EK and use their own CA to 
 certify it. Can this approach solve the above problem?  
In my opinion, if you can't trust the TPM hardware (or software in a 
virtual TPM),
the game is over.

Some TPMs might allow external creation of an EK, but it's vendor 
specific.
Others may allow you to run a command and have the TPM generate an EK.
However, you don't gain any security by putting a very strong key into 
weak
hardware.

Similarly, it doesn't help to certify a weak key with a strong CA.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011