Wave Systems Corp. (fka WAVXQ)

[cricketcricket]

ot rachelelise if Verisign attempted a TAN alternative then they have failed thus far IMHO. After another sleepless wavoid night some random thoughts occurred to me regarding Verisign and attestation which had some very optimistic conclusions.
I'll start with the conclusion *** 2003 Intel demonstrated wave's suit of trusted services and wavx demonstrated their attestation server at the RSA trade show. DO NOT underestimate the importance of this... IMHO this is critically important because I believe Verisign WAS maybe still is trying to hijack pieces of, if not, the whole TAN (at least the vanilla TAN) and has apparently thus far failed. As I dug in I could see clear indications where Verisign with Intel describe two pieces or more of the TAN process. At the very end of this I came up with 5 TAN pieces that no one has been able to come up with that I can find. As part of our due diligence it is wise to keep an eye on Verisign and understand IMHO that they have a place already in the TCG but they would HAPPILY take more:

Three months after CMU workshop Verisign and Intel came out with a white paper that did discuss some TAN like methodologies specifically a piece of the manufacturing process which has The "TAN" Initialization Server and Authorization Server processes described. It also clearly illustrates the process intended to attest to the TPM's authenticity.

From Wavx's TAN PDF:
The Authorization Server is the TAN component that controls the identities for EMBASSY Trusted Client hardware
devices to be manufactured. Subsequently, "the TAN’s Initialization Station injects private data, such as unique identifiers and registration keys, in EMBASSY silicon during the manufacturing process. These processes ensure the integrity of all EMBASSY hardware devices."

Device Server, the key enabler and authenticator of EMBASSY devices for the EMBASSY system.

http://www.wavesys.com/about/datasheets/03-000136_TAN.pdf


From Intel Verisign white paper:
Endorsement Key (EK)
The Endorsement Key (EK) is a public/private key-pair. The size of the key-pair is mandated to have a modulus (a.k.a. key size) of 2048 bits. The private component of the key-pair is generated within the TPM and is never exposed outside the TPM.
The EK is unique to the particular TPM and therefore the particular platform. There are two ways to generate the EK. The first method is to use the TPM command specified for this purpose (TPM_CreateEndorsementKeyPair). The second method is called “squirting”, in which the TPM manufacturer can “squirt” an externally generated EK into the TPM during the manufacturing process. Note that much of the value (or trust) associated with the TPM comes from the fact that the EK is unique and that it is protected within the TPM at all times. This property is certified by the Endorsement Certificate (Cert). The same party that provides the EK may not provide the Endorsement Cert.

The purpose of the Endorsement Cert is to provide attestation that the particular TPM is genuine, i.e. that the EK is protected.

AIKs are created using Certificates (also called Credentials) available within the TPM. AIKs do not have any direct association with the EK or the credentials.
AIKs are always bound to the platform and can be used to provide attestation to the platform’s identification and configuration. It is important to note that the
service provider (or challenger) trusts the Trusted Third Party (TTP) to do its due diligence before issuing AIKs to a platform.

http://www.intel.com/design/mobile/platform/downloads/Trusted_Platform_Module_White_Paper.pdf


WELL.. There are several things that VERISIGN or ANYONE ELSE HAVN'T BEEN ABLE TO DO or at least not in this white paper.

1) ELEGANT ANONYMITY & PRIVACY: "The TAN allows for personalization of trustlets during service installation by injecting secret information or keys into the trustlet data structure. This feature allows an application service provider to communicate only with authorized trustlets and maintain a history of transactions while not compromising the end user’s anonymity and privacy."

2) REAL TIME SYNCHRONIZATION “Applications and services that must verify the precise date and time of events need an uncontestable time source. The TAN’s Device Server offers trusted time services and ensures that EMBASSY devices have accurate local time according to their time synchronization schedule.”

3) FIELD UPGRADEABLE “Through the relationship with the Device Server, certified EMBASSY software and firmware upgrades can be securely downloaded and installed on target devices. Application service providers can also use this feature for secure distribution of trustlets and trustlet upgrades. As the market for trustworthy PC services expands, the EMBASSY Trust Assurance Network is a powerful management tool for complex security needs.”

4) APPLET PERMISSIONING i.e. TUSTLETS! "The TDS is the application service provider’s interface to the TAN and guarantees that trustlets[/] are created within the security boundaries of the EMBASSY Trust System (ETS). Through the TDS, application service providers may also upgrade their trustlets to newer versions. If a trustlet is ever compromised or is no longer valid, the TDS allows an application service provider to revoke its permissions. The application service provider’s identity is always authenticated and cryptographic measures ensure that only the original publisher can take action on a specific trustlet.


5)THIS ONE'S REALLY COOL! MANAGED SECURITYTo activate the managed security environment, EMBASSY devices register with the TAN’s Device Server. System administratorsmay set policies and permissions for TAN users and services, generate reports for tracking of attestable billable events, and create device groups having exclusive authorities. Additionally, technical support personnel may view the state and history of individual EMBASSY devices, and contain threats by revoking trustlets or disabling devices. These integrated functions help enterprises contain costs by making technical support and system administration as efficient"!!!!!!!!!!

Oh ya... lest we forget interoperability (shared trusted devices).

The point of this post was to put to rest Verisign as having unseated us... IMHO clearly they have not and CANNOT! IMHO while Verisign is interested in this space.. . there are CLEARLY "some things wavx has figured out" -- wasn't the some things wavx has figured out a quote from TCG... in any event... I would say they certainly have and I FEEL MUCH BETTER looking in the mirror and addressing this head on... keep an eye out until it IS a done deal but IMHO wavx still OWNS THE SPACE !!!!!!!!!!!!!!!!!!!!!!
Kindest Regards,
C2