Computerworld - Proving the identity of a human computer user is so yesterday -- all those what-you-have, what-you-know and what-you-are questions. Biology is so trivial compared with well-designed authenticating devices, though the missing human raises big philosophical questions.
Device authentication is being refined now to codify how computer hardware and software will prove they are secure for future automated services. Without humans in the loop, computers will soon be interoperating and exchanging software updates on their own.
The big debate is over authenticating devices unfettered by human control mechanisms. The argument is over which master your PC should serve, the local biology or some distant master with regulatory connections.
Device authentication woven into the Internet can turn your computer into Big Brother, an enforcement tool for copyright owners demanding annual subscriptions or one-time fees. It can stop you from playing that song or movie your friend shared with you. It can keep you from breaking the law, regardless of your wishes.
Device authentication offers a lot of very useful technologies to secure the Internet, with memory curtaining, secure input and output, and sealed storage. Even in the technology community, where varying opinions abound on everything, a consensus has formed around the undeniable usefulness of these device authentication methods, which have roots in the Trusted Computing Group's trusted computing security model.
The TCG's security model has traditionally focused on software isolation, keeping programs from interfering with one another. It did not attempt to throttle insecure, harmful or undesirable software, reflecting the democratic tradition of not making too many laws to protect people from themselves.
But an evolving TCG device authentication standard called remote attestation is taking the TCG into uncharted philosophical waters. Remote attestation generates a hash value for software modules authenticating to services or other software, with no user involvement. If users attempt an end run by altering the hash value, they won't be recognized by the remote service or software. Your PC, in effect, has a governor on it telling you what you can and cannot run.
The information libertarians at the Electronic Frontier Foundation are calling remote attestation a Trojan horse threat to the free marketplace of information. In the words of the EFF's Seth Schoen, remote attestation "fails to distinguish between applications that protect computer owners against attack and applications that protect a computer against its owner [who] is sometimes treated as just another attacker or adversary who must be prevented from breaking in and altering the computer's software."
The cybervigilantes at the EFF take issue with the potential
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
