Re: The TPM is dead, long live the TEE!

On 2014-07-23 03:54, Manu Sporny wrote:
> On 07/13/2014 12:33 AM, Anders Rundgren wrote:
>> How come the competition didn't buy into the TPM?
>> TPMs are based on a "one-size-fits-all" security API philosophy.
>> Since Intel relies on external vendors supplying TPM-components this
>> (IMHO fairly unwieldy) API must also be standardized which makes the
>> process updating TPMs extremely slow and costly.
>> TEEs OTOH can be fitted at any time with application-specific
>> security APIs which both can be standardized or entirely proprietary.
>> In fact, even third-parties can create new security APIs using
>> GlobalPlatform's TEE!
> Hey Anders,
> Could you elaborate a bit more on how we could apply this approach to
> the Web Payments initiative? The part that I don't understand is that if
> you allow entirely proprietary APIs into the mix, how do you achieve
> interoperability?

Hi Manu,
Good question!  What I meant was that for example payments represent a
specific application which could be supported by a TEE-based scheme.

The TPM-folks are trying to define mobile payment systems on top of something
that was designed by OS-security experts which doesn't work particularly well.

> Does it not matter at that level?

See below.

> To bring this more in line w/ what we're doing. We hope that the payment
> initiation mechanism that we end up standardizing is going to allow
> Visa, Mastercard, PayPal, Bitcoin, Ripple, etc. to all be listed as
> payment options by the merchant and selected freely by the customer
> depending on which payment mechanism they want to use. Is this an
> example of the approach that you're suggesting?

I would use the TEE for keeping keys that could be used for any number
of applications including payments.  It will happen but I guess most
people are waiting (as usual I might say...) for Google to tell the
rest of the industry how to do it.  Well, Samsung is also involved.


> -- manu

Received on Thursday, 24 July 2014 09:20:27 UTC