220 likes | 578 Views
The role of trusted computing in Internet-scale DRM Geoffrey Strongin AMD Fellow Platform Security Architect geoffrey.strongin@amd.com Overview of this talk Personal background Brief introduction of XRI and XDI XDI link contracts Standardized contracts
E N D
The role of trusted computing in Internet-scale DRM Geoffrey Strongin AMD Fellow Platform Security Architect geoffrey.strongin@amd.com
Overview of this talk • Personal background • Brief introduction of XRI and XDI • XDI link contracts • Standardized contracts • Trusted computing and barriers to trusted computing • Trusted computing and link contracts • How Internet-scale DRM may evolve
Personal background • ISTPA – Privacy Framework • XNS XRI, XDI • Trusted Computing Group • AMD’s Presidio Technology • DRM has been a controversial topic in Trusted Computing circles but … a rising tide lifts all boats. • DRM is a big boat! Important Data - policy binding work Bringing Trusted Computing to the PC
Introduction of XRI and XDI • Both XRI and XDI trace back to XNS • XRI (eXtensible Resource Identifier) XRI: A URI compatible scheme for abstract identifiers with lots of 3rd generation features • XRI is being developed at OASIS (XRI TC) • See http://en.wikipedia.org/wiki/XRI • XDI (XRI Data Interchange) • XDI: is a general extensible service for sharing, linking, and synchronizing data over the internet using XRI’s and XML documents
The primary goals of XDI • To develop a standardized data interchange schema and protocol based on Extensible Resource Identifiers (XRIs) and XML • This format can do for machine-readable data what HTML did for human-readable content • To enable “link contracts” – machine-readable data sharing agreements that bind shared data to policies governing its use • Not immediatly a “standarized” DRM, but the plumbing for “general purpose” DRM
The XDI “Dataweb” model • Applies the Web model to machine-readable data sharing • XDI documents are XRI-addressable the same way HTML documents are URI-addressable • URI addressing/linking goes down only to the document fragment level; XRI addressing/linking goes all the way down to the atomic element level • XDI addressing can reference and link elements across XDI documents just like HTML hyperlinks • XDI addressing also supports persistent XRIs, so all nodes can be persistently referenced
XDI link contracts • A link contract is an XDI document governing an XDI data sharing relationship between two XDI data authorities • It “binds” XRI-addressable data to XRI-addressable policies governing its use • Link contracts can cover any type of XDI data (including other link contracts) • Link contracts can associate any type of data sharing policy
Link contracts can include policies for: • Identification • Authentication • Authorization and access control • Privacy and usage control • Synchronization • Termination • Recourse
Policy elements • Every policy referenced by a link contract has its own XRI (or set of XRI synonyms) • The policy itself need not be an XDI document; it might be: • Human-readable text document (e.g., Creative Commons licenses, www.creativecommons.org) • A document in machine-readable policy expression language (XACML, WS-Policy, etc.) • Any other XRI-addressable resource to which the parties can agree
Meaningful link contracts • Unless the party relying on a link contract can reasonably expect the referenced policy to be honored it is valueless • There are already lots of “implied” and “explicit” contracts that operate within the Internet • Many have marginal value since enforcement can be difficult • click-through licensees are enforceable under specific conditions, but the overall story is murky and varies from one polity to another • Policy-containing contracts are not often bound to the data exchanged in a persistent way • XDI helps with some of these issues and trusted computing can help with enforcement • Enforcement from trusted computing implies a policy engine capable of enforcement
Standardized link contracts (referenced policies) • Custom contracts are possible with XDI but like all custom legal work they will be expensive • Enforceability is at least a question • Real computer-to-computer negotiation of such contracts remains a challenge • In brief, this won’t scale • The use of standardized and pro forma contracts appears to be the way to scale the use of link-contracts • The Internet has already spawned lots of standard contracts that are widely referenced • The most obvious example of this are open source licenses • XDI will likely spawn a whole range of new standardized contracts that will come into broad usage • The availability of a pool of such contracts will enable “automatic” contract negotiation where parties are able to identify acceptable contracts in advance
What is “Trusted Computing” • A simplified definition of trusted or trustworthy computing: • The combination of: • A self protecting trusted computing base (TCB) • Reliable measurement agents • Reliable attestation or reporting capability • The foundation blocks for this are in place today, and we are waiting for the whole structure to be built • Some of the reasons that this is slow to emerge are worth noting…
Barriers to the adoption of trusted computing are falling (if slowly!) • Cost – no longer a significant barrier • Availability of the building blocks – mostly solved now • Software TCB elements lagging • Secure Hypervisors and • Credentials still lagging (a chicken and egg game) • Ease of use • Liability issues • Scalability (surprise!)– why we are here • Clear understanding of delivered value
Ease of use as a barrier • Attestation information as originally defined by TCG is difficult to consume • The abstraction level of the elements in the “stored measurement log” has to be raised • The hashes of software objects are “brittle” • More fundamentally – identification and validation don’t directly predict behavior • Attestation needs to move beyond “code signatures” into the behavioral (semantic) realm • We need a standardized language or metrics to express the intersection of the robustness of implementation of a TCB in a platform and the nature of the policies enforced by the TCB • Common Criteria can address the former (at high cost) • We are still lacking a good solution for the latter • We need the equivilent of a credit score for trustworthy platforms
Liability issues as a barrier • Bad things happen! • No one wants to be left holding the bag when they do • Providing attestation data, credentials and other infrastructure components that support trusted computing could result in increased liability on the part of the “supply chain” providers • We may need regulatory relief to foster the growth of trusted computing (PKI) • We may also be able to manage the risk by using XDI link contracts within the attestation infrastructure to establish and allocate liability
XDI and trusted computing • XDI benefits from • trusted computing: • Policy enforcement • Authentication • Non repudiation • Trusted Computing benefits from XDI: • Establishes value in attestation • XDI plumbing for attestation information with “liability” management • Revocation push/pull
Trusted computing as part of the link contract • Attestation of the recipients computing environment and DRM engine can be a data-exchange prerequisite • DRM systems are based on the assumption that the DRM engine has not been hacked • Reliable assessment of the enforcement capabilities of remote platforms becomes possible with trusted computing technology • Participation remains voluntary, but there are public policy implications as this becomes ubiquitous • Powerful tools can always be misused • The link-contracts can work both ways • Assessment for the data provider, and limitations on the use of the attestation information for the data recipient • Privacy principles can become part of the lexicon of standardized link contracts where law and regulation don’t suffice
Link contracts and trusted computing • Some of the factors that come into play: • The level of knowledge about the other party • The value of the transaction • The level of automation involved • How much direct human involvement is present? • Already a factor in lots of transactions (funny text tests) Tools outside of trusted computing that enable data interchange • Reputation services (expected XDI global services) • Law and policy context • Insurance and recourse
How Internet scale DRM may evolve • A little prognostication… • Initial use of XDI will have to depend on established trust relationships • Most data today flows using this kind of model • Consumer “knows” provider • Commercial partners “know” each other • Standardized link contracts will be developed to serve the existing models of data exchange • As XDI evolves it will start to leverage trusted computing where it does exist • This will open the door to some more spontaneous data sharing and will in turn help validate the benefits of trusted computing • Over time a virtuous cycle may emerge where XDI link contracts increasingly use trusted computing and where trusted computing relies more and more on XDI
Our challenge • Break down the remaining barriers to trusted computing adoption • Foster the development and deployment of the technology building blocks (if we build it…) • Focus significant corporate and academic resources on the “ease of use” problem • My request: • Keep an eye on XRI and XDI as they developShare your critical views on this work with the OASIS XRI and XDI TC’s • My hope is that you will leverage these technologies to foster the scale-out of trusted computing
Links for more information on XDI • http://en.wikipedia.org/wiki/XDI • http://www.oasis-open.org • Google for the XDI FAQ