The role of trusted computing in Internet-scale DRM Geoffrey Strongin AMD Fellow Platform Security Architect geoffrey.strongin@amd.com Overview of this talk Personal background Brief introduction of XRI and XDI XDI link contracts Standardized contracts Trusted computing and barriers to trusted computing Trusted computing and link contracts How Internet-scale DRM may evolve 2 Personal background ISTPA – Privacy Framework XNS XRI, XDI Important Data - policy binding work Trusted Computing Group AMD’s Presidio Technology Bringing Trusted Computing to the PC DRM has been a controversial topic in Trusted Computing circles but … a rising tide lifts all boats. DRM is a big boat! 3 Introduction of XRI and XDI Both XRI and XDI trace back to XNS XRI (eXtensible Resource Identifier) XRI: A URI compatible scheme for abstract identifiers with lots of 3rd generation features – XRI is being developed at OASIS (XRI TC) See http://en.wikipedia.org/wiki/XRI XDI (XRI Data Interchange) XDI: is a general extensible service for sharing, linking, and synchronizing data over the internet using XRI’s and XML documents 4 The primary goals of XDI To develop a standardized data interchange schema and protocol based on Extensible Resource Identifiers (XRIs) and XML This format can do for machine-readable data what HTML did for human-readable content To enable “link contracts” – machine-readable data sharing agreements that bind shared data to policies governing its use Not immediatly a “standarized” DRM, but the plumbing for “general purpose” DRM 5 The XDI “Dataweb” model Applies the Web model to machine-readable data sharing XDI documents are XRI-addressable the same way HTML documents are URI-addressable URI addressing/linking goes down only to the document fragment level; XRI addressing/linking goes all the way down to the atomic element level XDI addressing can reference and link elements across XDI documents just like HTML hyperlinks XDI addressing also supports persistent XRIs, so all nodes can be persistently referenced 6 Core Dataweb Concept 7 XDI link contracts A link contract is an XDI document governing an XDI data sharing relationship between two XDI data authorities It “binds” XRI-addressable data to XRI-addressable policies governing its use Link contracts can cover any type of XDI data (including other link contracts) Link contracts can associate any type of data sharing policy 8 Link contracts can include policies for: Identification Authentication Authorization and access control Privacy and usage control Synchronization Termination Recourse 9 Policy elements Every policy referenced by a link contract has its own XRI (or set of XRI synonyms) The policy itself need not be an XDI document; it might be: Human-readable text document (e.g., Creative Commons licenses, www.creativecommons.org) A document in machine-readable policy expression language (XACML, WS-Policy, etc.) Any other XRI-addressable resource to which the parties can agree 10 Meaningful link contracts Unless the party relying on a link contract can reasonably expect the referenced policy to be honored it is valueless There are already lots of “implied” and “explicit” contracts that operate within the Internet – Many have marginal value since enforcement can be difficult click-through licensees are enforceable under specific conditions, but the overall story is murky and varies from one polity to another – Policy-containing contracts are not often bound to the data exchanged in a persistent way XDI helps with some of these issues and trusted computing can help with enforcement – Enforcement from trusted computing implies a policy engine capable of enforcement 11 Standardized link contracts (referenced policies) Custom contracts are possible with XDI but like all custom legal work they will be expensive Enforceability is at least a question Real computer-to-computer negotiation of such contracts remains a challenge In brief, this won’t scale The use of standardized and pro forma contracts appears to be the way to scale the use of link-contracts The Internet has already spawned lots of standard contracts that are widely referenced The most obvious example of this are open source licenses XDI will likely spawn a whole range of new standardized contracts that will come into broad usage The availability of a pool of such contracts will enable “automatic” contract negotiation where parties are able to identify acceptable contracts in advance 12 What is “Trusted Computing” A simplified definition of trusted or trustworthy computing: The combination of: A self protecting trusted computing base (TCB) Reliable measurement agents Reliable attestation or reporting capability The foundation blocks for this are in place today, and we are waiting for the whole structure to be built Some of the reasons that this is slow to emerge are worth noting… 13 Barriers to the adoption of trusted computing are falling (if slowly!) Cost – no longer a significant barrier Availability of the building blocks – mostly solved now – Software TCB elements lagging Secure Hypervisors and – Credentials still lagging (a chicken and egg game) Ease of use Liability issues Scalability (surprise!)– why we are here Clear understanding of delivered value 14 Ease of use as a barrier Attestation information as originally defined by TCG is difficult to consume The abstraction level of the elements in the “stored measurement log” has to be raised – The hashes of software objects are “brittle” More fundamentally – identification and validation don’t directly predict behavior – Attestation needs to move beyond “code signatures” into the behavioral (semantic) realm We need a standardized language or metrics to express the intersection of the robustness of implementation of a TCB in a platform and the nature of the policies enforced by the TCB Common Criteria can address the former (at high cost) We are still lacking a good solution for the latter We need the equivilent of a credit score for trustworthy platforms 15 Liability issues as a barrier Bad things happen! No one wants to be left holding the bag when they do Providing attestation data, credentials and other infrastructure components that support trusted computing could result in increased liability on the part of the “supply chain” providers We may need regulatory relief to foster the growth of trusted computing (PKI) We may also be able to manage the risk by using XDI link contracts within the attestation infrastructure to establish and allocate liability 16 XDI and trusted computing XDI benefits from trusted computing: •Policy enforcement •Authentication •Non repudiation 17 Trusted Computing benefits from XDI: •Establishes value in attestation •XDI plumbing for attestation information with “liability” management •Revocation push/pull Trusted computing as part of the link contract Attestation of the recipients computing environment and DRM engine can be a data-exchange prerequisite DRM systems are based on the assumption that the DRM engine has not been hacked Reliable assessment of the enforcement capabilities of remote platforms becomes possible with trusted computing technology Participation remains voluntary, but there are public policy implications as this becomes ubiquitous – Powerful tools can always be misused – The link-contracts can work both ways Assessment for the data provider, and limitations on the use of the attestation information for the data recipient – Privacy principles can become part of the lexicon of standardized link contracts where law and regulation don’t suffice 18 Link contracts and trusted computing Some of the factors that come into play: The level of knowledge about the other party The value of the transaction The level of automation involved – How much direct human involvement is present? – Already a factor in lots of transactions (funny text tests) Tools outside of trusted computing that enable data interchange Reputation services (expected XDI global services) Law and policy context Insurance and recourse 19 How Internet scale DRM may evolve A little prognostication… Initial use of XDI will have to depend on established trust relationships Most data today flows using this kind of model – Consumer “knows” provider – Commercial partners “know” each other Standardized link contracts will be developed to serve the existing models of data exchange As XDI evolves it will start to leverage trusted computing where it does exist – This will open the door to some more spontaneous data sharing and will in turn help validate the benefits of trusted computing Over time a virtuous cycle may emerge where XDI link contracts increasingly use trusted computing and where trusted computing relies more and more on XDI 20 Our challenge Break down the remaining barriers to trusted computing adoption Foster the development and deployment of the technology building blocks (if we build it…) Focus significant corporate and academic resources on the “ease of use” problem My request: Keep an eye on XRI and XDI as they develop Share your critical views on this work with the OASIS XRI and XDI TC’s My hope is that you will leverage these technologies to foster the scale-out of trusted computing 21 Links for more information on XDI http://en.wikipedia.org/wiki/XDI http://www.oasis-open.org Google for the XDI FAQ 22