[Cdn-DMCA] TCPA/Palladium

Alan DeKok aland at ox.org
Mon Jul 22 15:14:15 EDT 2002 

Russell McOrmond <russell at flora.ca> wrote:
>   I would like some analysis to be done on TCPA/Palladium.  I have my 
> opinions from all I have read, but I have not had the time (nor the 
> interest, to be honest) to dive into it in detail.

  Neither have I.

  I've got some comments on the difference between encryption and
authentication, though.  My ideas aren't perfect, but I think they are
a good model for thinking about the issues.

  Authentication protects someone other than you.

  Why?  You don't create your own credentials.  All of your
identification is given to you by someone else.  The government, the
bank, your parents (who named you?), etc.

  So authenticating yourself to the government, with government-issued
ID, doesn't protect you.  You're just allowing the government to be
sure it's talking to the same person who was issued the identication.

  Think of it as "token passing", in the computer network sense.


  Encryption protects you.

  Why?  You create your own encryption keys.  It doesn't matter what
the keys are, no one really looks at them.  If someone has a key which
decrypts communications from you, then you must have given them that
key.

  If you don't like the key, you can change it.  If you want to verify
who you're talking to, you ask them to authenticate themselves, with
government issued ID.  If you really care, you ask them to encrypt
those credentials with the current key, to be sure that for this
conversation (i.e. encryption key), you're talking to the correct
person (i.e. authentication credentials)

  Why does this matter?  *YOU* are in control of your encryption
keys.  You decide which conversations to make public, and which ones
to make private.  The private conversations are ones that *you* think
need to be private, to protect *your* privacy.  You make other
conversations public, because you're not afraid of their contents
being revealed.


  By now, you're thinking "That's nice, but what does it have to do
with TCPA/Palladium?"

  See:

  http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html

  section 4:

  "[ the TCPA system ] checks that ... the software components have
been signed"


  So the software components are authenticated.  That is, they're
given authentication information by someone you don't know, and your
computer will refuse to run any software without those credentials.

  Looking at my analogy/explanation above, we can conclude that this
authentication information protects *them*, not *you*.

  Personally, I see no reason why I should have to pay for something I
don't want, which I don't need, and which serves only to protect
someone other than myself.


  Another analogy is a wonderful idea I had for burglary prevention.
We simply station a security guard at every door and window in your
house.  Then, before you can change rooms, you must show the guard
your ID.

  What, you say?  It's 2 AM, you're in your underwear, and you want to
visit the bathroom?  Well, you don't have any ID on you, so you're
obviously a burglar, and you should go to jail.


  That's TCPA/Palladium.  It's also one of the stupidest ideas I've
heard of in a while.

  Alan DeKok.
--
For (un)subscription information, posting guidelines and
links to other related sites please see http://www.flora.org/dmca/

More information about the Discuss mailing list