W3C home > Mailing lists > Public > public-hb-secure-services@w3.org > February 2017

Re: GlobalPlatform - Trusted Management Framework

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Mon, 13 Feb 2017 11:19:59 +0100
To: Don Felton <don.felton@trustonic.com>, "'public-hb-secure-services@w3.org'" <public-hb-secure-services@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>
Cc: Richard Hayton <richard.hayton@trustonic.com>
Message-ID: <67e7369e-5c62-5bfd-9b57-da4545d02efc@gmail.com>
On 2017-02-10 15:24, Don Felton wrote:
> Hi Anders and all,

Hi Don,

> Did anyone also post the link to the GlobalPlatform Trusted Management Framework (GP TMF)
 > when it was released last year?

I don't think so.

> While the OTrP people argue their (draft) solution is ideally suited to TEE in the IoT,
 > my possibly biased opinion is that while it is an easy read, the result is relatively unaligned,
 > heavyweight and inflexible compared to the (not draft) GP TMF standard.

I guess my personal experiences in this field (https://www.linkedin.com/pulse/intel-destroyed-tpm-now-set-kill-nfc-anders-rundgren) have made me less convinced that standardization always is the right solution.

It seems that Charters and Processes are considered "Sacred" while Timely deliverables, Changes in the market, Available technology, Unexpected problems, New knowledge, and Competing solutions are largely *ignored*.

In addition, the fact that Google/Android have more than 80% market-share on mobile devices make standardization efforts outside of Google's territory from a practical point of view close to "pathetic" :-(

FWIW, I am (since ages back...), working with something "TEE-ish" as well. However, there are no plans to standardize anything at this stage.  This scheme is technically very different to GP.  The core will be presented at the next "Linaro Connect" in Budapest.

Summary: Availability beats standardization anytime!

> Sorry, but I don’t know of any pretty GP TMF slideware that is public.
> The best I can do is the press release
> https://www.globalplatform.org/mediapressview.asp?id=1284
> I guess I should, for completeness, also point out that GlobalPlatform have for years provided the equivalent "GlobalPlatform Card Specification" for the same task area in the SmartCard space. Again I can't provide a link to slideware but the GP website has the specs.
> GP TMF did leverage some of the ideas behind the GP Card Specification, but went to a lot of effort to revise the management model to enable more flexibility in what is potentially a multiple ownership device environment (e.g. OEM, ODM, MNO, and various service providers all wanting their own isolated and controlled slice of the action).
> Finally I have to say that the OTrP slide deck is suffering from a common marketing mistake when relating to TEE's. They are equating a TEE to the Trusted OS, whereas GP define the TEE as bounded by a Common Criteria format Protection Profile, which in their case would include everything in the Secure World enabling the Trusted Applications.
> Regards
> Don
> (I had better admit that I currently chair the group in GP that created the GP TMF.)
>> -----Original Message-----
>> From: Anders Rundgren [mailto:anders.rundgren.net@gmail.com]
>> Sent: 09 February 2017 10:03
>> To: 'public-hb-secure-services@w3.org' <public-hb-secure-services@w3.org>;
>> public-web-security@w3.org
>> Subject: Open Trust Protocol
>> Related to the Hardware Based Security Services:
>> https://tools.ietf.org/html/draft-pei-opentrustprotocol-03
>> https://s3.amazonaws.com/connect.linaro.org/las16/Presentations/Wednesday
>> /Open%20Trust%20Protocol%20-%20LAS16-306.pdf
>> BTW, what's the status of HB Secure Services?
>> Anders
Received on Monday, 13 February 2017 10:20:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:52:47 UTC