zlacker

[return to "Remote Attestation is coming back"]
1. walter+fl[view] [source] 2022-07-30 01:50:57
>>gjsman+(OP)
Prior thread, https://news.ycombinator.com/item?id=32234561

> On-premise, open-source, customer-owned remote attestation servers are possible. Avoid outsourcing integrity verification to 3rd-party clouds.

With owner-operated OSS MDM & attestation servers, PCs can have diverse, owner-customized OS and configs, reducing monoculture binary blobs.

◧◩
2. userbi+9n[view] [source] 2022-07-30 02:21:46
>>walter+fl
PCs can have diverse, owner-customized OS and configs,

...which won't be able to interact with any of the walled gardens which will be enabled by these same technologies.

◧◩◪
3. walter+nn[view] [source] 2022-07-30 02:24:51
>>userbi+9n
That cuts in both directions. If sufficiently large customers run their own attestation servers, the discussion moves from binary yes/no attestation to the details of interoperable measurements, single-purpose OS components and provable security vs vendor lock-in.

Walled gardens care about including their large customers, so it's not as simple as locking them out. There is also an ongoing EU legislative effort to mandate digital platform interoperability, which will likely apply to attestation.

◧◩◪◨
4. userbi+Jw[view] [source] 2022-07-30 04:39:26
>>walter+nn
...and the large customers are going to treat users as the attackers to be secured against, so I don't think that's going to help one bit.
◧◩◪◨⬒
5. walter+by[view] [source] 2022-07-30 05:08:15
>>userbi+Jw
Many owner-defined OSes would be a bit better than a handful of vendor-defined OSes being imposed on the entire planet. Influencing device owners to provide sensible policies would be the next step, but at least there would be the possibility of competition, and the voices of multiple economic stakeholders.

Attestation can also be entirely local, e.g. between a device and a USB key with OSS software that is configured by the owner.

◧◩◪◨⬒⬓
6. salawa+qn1[view] [source] 2022-07-30 15:35:58
>>walter+by
Once again. To meaningfully exist seperate from digital overlords, you must be able to grok nuances of cryptography. You are dead on arrival for 95% of the populace.
◧◩◪◨⬒⬓⬔
7. walter+mH1[view] [source] 2022-07-30 17:57:33
>>salawa+qn1
Do you consider Let's Encrypt to be a digital overlord? Many are using this service successfully without being cryptography experts?

Why can't there be a "local attestation server" equivalent to Lets Encrypt, e.g. offering the Top 10 most-requested OS configurations which are not being addressed by digital overlords?

Cryptographer priests are scarce, but not numerically capped or fully monopolized by digital overlords.

◧◩◪◨⬒⬓⬔⧯
8. salawa+h92[view] [source] 2022-07-30 21:34:41
>>walter+mH1
Let's Encrypt is spawned by digital overlords, btw.

Might be overseen by a neutral group, but it was spawned out of them.

And I'm sorry, but no. Absolutely not. If I have to teach someone to do a damn Certificate signing request just to say, get a kernel tweak done, or (nightmare mode) just to run a self-written hello world because the powers that be have decided that nothing less than perfect non-repudiation of every binary ever built from now on is acceptable; (the logical terminis of "apply cryptography to programming until top down control is realized)... I'm not even completing the thought. This is a bad, bad, bad, bad, bad idea.

[go to top]