The role of trusted computing in Internet-scale DRM Geoffrey Strongin AMD Fellow

advertisement
The role of trusted computing in
Internet-scale DRM
Geoffrey Strongin
AMD Fellow
Platform Security Architect
geoffrey.strongin@amd.com
Overview of this talk
Personal background
Brief introduction of XRI and XDI
XDI link contracts
Standardized contracts
Trusted computing and barriers to trusted computing
Trusted computing and link contracts
How Internet-scale DRM may evolve
2
Personal background
ISTPA – Privacy Framework
XNS  XRI, XDI
Important
Data - policy binding work
Trusted Computing Group
AMD’s Presidio Technology
Bringing
Trusted Computing to the PC
DRM has been a controversial topic in Trusted Computing
circles but … a rising tide lifts all boats.
DRM is a big boat!
3
Introduction of XRI and XDI
Both XRI and XDI trace back to XNS
XRI (eXtensible Resource Identifier)
XRI: A URI compatible scheme for abstract identifiers
with lots of 3rd generation features
– XRI is being developed at OASIS (XRI TC)
 See http://en.wikipedia.org/wiki/XRI
 XDI (XRI Data Interchange)
 XDI: is a general extensible service for sharing, linking,
and synchronizing data over the internet using XRI’s
and XML documents
4
The primary goals of XDI
To develop a standardized data interchange schema and
protocol based on Extensible Resource Identifiers (XRIs)
and XML
 This format can do for machine-readable data what
HTML did for human-readable content
To enable “link contracts” – machine-readable data
sharing agreements that bind shared data to policies
governing its use
 Not immediatly a “standarized” DRM, but the plumbing
for “general purpose” DRM
5
The XDI “Dataweb” model
Applies the Web model to machine-readable data sharing
 XDI documents are XRI-addressable the same way
HTML documents are URI-addressable
 URI addressing/linking goes down only to the document
fragment level; XRI addressing/linking goes all the way
down to the atomic element level
 XDI addressing can reference and link elements across
XDI documents just like HTML hyperlinks
 XDI addressing also supports persistent XRIs, so all
nodes can be persistently referenced
6
Core Dataweb Concept
7
XDI link contracts
A link contract is an XDI document governing an XDI
data sharing relationship between two XDI data
authorities
 It “binds” XRI-addressable data to XRI-addressable
policies governing its use
Link contracts can cover any type of XDI data (including
other link contracts)
Link contracts can associate any type of data sharing
policy
8
Link contracts can include policies for:
Identification
Authentication
Authorization and access control
Privacy and usage control
Synchronization
Termination
Recourse
9
Policy elements
Every policy referenced by a link contract has its own XRI
(or set of XRI synonyms)
The policy itself need not be an XDI document; it might
be:
 Human-readable text document (e.g., Creative
Commons licenses, www.creativecommons.org)
 A document in machine-readable policy expression
language (XACML, WS-Policy, etc.)
 Any other XRI-addressable resource to which the
parties can agree
10
Meaningful link contracts
Unless the party relying on a link contract can reasonably
expect the referenced policy to be honored it is valueless
 There are already lots of “implied” and “explicit”
contracts that operate within the Internet
– Many have marginal value since enforcement can be
difficult
 click-through licensees are enforceable under specific
conditions, but the overall story is murky and varies from one
polity to another
– Policy-containing contracts are not often bound to the data
exchanged in a persistent way
 XDI helps with some of these issues and trusted
computing can help with enforcement
– Enforcement from trusted computing implies a policy
engine capable of enforcement
11
Standardized link contracts
(referenced policies)
Custom contracts are possible with XDI but like all custom legal work
they will be expensive
 Enforceability is at least a question
 Real computer-to-computer negotiation of such contracts remains a
challenge
 In brief, this won’t scale
The use of standardized and pro forma contracts appears to be the
way to scale the use of link-contracts
The Internet has already spawned lots of standard contracts that are
widely referenced
 The most obvious example of this are open source licenses
XDI will likely spawn a whole range of new standardized contracts
that will come into broad usage
 The availability of a pool of such contracts will enable “automatic”
contract negotiation where parties are able to identify acceptable
contracts in advance
12
What is “Trusted Computing”
A simplified definition of trusted or trustworthy
computing:
The combination of:
 A self protecting trusted computing base (TCB)
 Reliable measurement agents
 Reliable attestation or reporting capability
The foundation blocks for this are in place today, and we
are waiting for the whole structure to be built
 Some of the reasons that this is slow to emerge are
worth noting…
13
Barriers to the adoption of trusted
computing are falling (if slowly!)
 Cost – no longer a significant barrier
 Availability of the building blocks – mostly solved now
– Software TCB elements lagging
 Secure Hypervisors and
– Credentials still lagging (a chicken and egg game)
 Ease of use
 Liability issues
 Scalability (surprise!)– why we are here
 Clear understanding of delivered value
14
Ease of use as a barrier
Attestation information as originally defined by TCG is difficult
to consume
 The abstraction level of the elements in the “stored
measurement log” has to be raised
– The hashes of software objects are “brittle”
 More fundamentally – identification and validation don’t
directly predict behavior
– Attestation needs to move beyond “code signatures” into the
behavioral (semantic) realm
 We need a standardized language or metrics to express the
intersection of the robustness of implementation of a TCB in
a platform and the nature of the policies enforced by the TCB
 Common Criteria can address the former (at high cost)
 We are still lacking a good solution for the latter
We need the equivilent of a credit score for trustworthy
platforms
15
Liability issues as a barrier
Bad things happen!
No one wants to be left holding the bag when they do
Providing attestation data, credentials and other
infrastructure components that support trusted
computing could result in increased liability on the part of
the “supply chain” providers
We may need regulatory relief to foster the growth of
trusted computing (PKI)
We may also be able to manage the risk by using XDI
link contracts within the attestation infrastructure to
establish and allocate liability
16
XDI and trusted computing
XDI benefits from
trusted computing:
•Policy enforcement
•Authentication
•Non repudiation
17
Trusted Computing
benefits from XDI:
•Establishes value in
attestation
•XDI plumbing for
attestation
information with
“liability”
management
•Revocation
push/pull
Trusted computing as part of the link
contract
Attestation of the recipients computing environment and DRM
engine can be a data-exchange prerequisite
 DRM systems are based on the assumption that the DRM
engine has not been hacked
 Reliable assessment of the enforcement capabilities of
remote platforms becomes possible with trusted computing
technology
 Participation remains voluntary, but there are public policy
implications as this becomes ubiquitous
– Powerful tools can always be misused
– The link-contracts can work both ways
 Assessment for the data provider, and limitations on the use of the
attestation information for the data recipient
– Privacy principles can become part of the lexicon of standardized
link contracts where law and regulation don’t suffice
18
Link contracts and trusted computing
Some of the factors that come into play:
 The level of knowledge about the other party
 The value of the transaction
 The level of automation involved
– How much direct human involvement is present?
– Already a factor in lots of transactions (funny text tests)
Tools outside of trusted computing that enable data
interchange
 Reputation services (expected XDI global services)
 Law and policy context
 Insurance and recourse
19
How Internet scale DRM may evolve
A little prognostication…
Initial use of XDI will have to depend on established trust
relationships
 Most data today flows using this kind of model
– Consumer “knows” provider
– Commercial partners “know” each other
 Standardized link contracts will be developed to serve the existing
models of data exchange
As XDI evolves it will start to leverage trusted computing where it
does exist
– This will open the door to some more spontaneous data sharing and will in
turn help validate the benefits of trusted computing
Over time a virtuous cycle may emerge where XDI link contracts
increasingly use trusted computing and where trusted computing
relies more and more on XDI
20
Our challenge
Break down the remaining barriers to trusted computing
adoption
 Foster the development and deployment of the technology
building blocks (if we build it…)
 Focus significant corporate and academic resources on the
“ease of use” problem
My request:
Keep an eye on XRI and XDI as they develop
Share your critical views on this work with the OASIS XRI and
XDI TC’s
My hope is that you will leverage these technologies to foster
the scale-out of trusted computing
21
Links for more information on XDI
http://en.wikipedia.org/wiki/XDI
http://www.oasis-open.org
Google for the XDI FAQ
22
Download