The two standards are the PB-TNC (or IF-TNCCS 2.0 according to the TCG) and the TA-TNC (or IF-M 1.0), both connected with collecting and reporting on the health of an endpoint such as a laptop or a printer.

Joel Snyder from the consultants Opus One said:

"With the IETF adoption of the TNC NAC specifications, network managers now have the assurance that the best minds from vendors, enterprises, and academia have come together behind a common set of protocols."

The other major plus point of this is that Cisco have said they would finally support TNC once it becomes an IETF standard, so hopefully we’ll soon see some action from them. Steve Hanna from Juniper Networks and co-chair of the TNC posted a related blog entry that covers the hopes for total interoperability in the near future built on the basis of these standards.

Barely a day goes by when you switch on your computer, plug into the web and come across yet another deranged scheme to restrict freedom in the name of security, safety or morality. RIAA, DMCA, RIPA, Pallidium computing, the list almost seems to grow exponentially. So, some guys got together in a dark room, brainstormed and came up with yet another ruse to curtail access to and use of the internet. Relax, this one won’t fly. Trust me. But the sheer audacity of it! Even the bovine docility of Windows users wouldn’t stomach this one (or would they?)—and here’s the irony. It seems to have been dreamed up by someone at Microsoft but in reality this nonsense has form. The wrap sheet’s a long one. Welcome to the world of “Microsoft’s Internet license”.

Later on in the article the United Nations also comes in for a kicking, but I was disappointed by the lack of mention of either 9-11 or the military-industrial complex.

A security strategist with a well-known online payment service said that HSMs did not solve the problem entirely and might be difficult to scale. He suggested AWS create key servers in memory rather than on disk. A passphrase would then be required to access the HSM and pull out the required key.

That quote makes little sense to me, and I’m surprised that there was no mention of virtualisation of the HSM – a quick search of the web reveals a good number of people working on virtualisation schemes for the Trusted Platform Module.

The authenticity and integrity of software running on mobile equipment is relevant and important in m-commerce. Mobile trusted computing can solve the problem by using Reference Integrity Metric (RIM) certificate. But the RIM certificate stored in Mobile Trusted Module (MTM) is suffered to frequently renew while the software is updated or patched. In the study, a user-specific RIM, uRIM, is presented. Based on the uRIM, a novel software integrity verification protocol is proposed. It allows an easy management of RIM to support the secure boot as well as a low-cost on verifying of software authenticity.

The goal is to replace RIM certificates, which are signed with RSA keys, with a shared secret protected via hashing for performance reasons. However, the document ignores the fact that internal RIM Certificates use HMAC keys, so for each certificate there need only be one RSA signature verification, not one every invocation. The document has a number of errors in the formulae, it redefines the operation of tpm_quote to do something completely different, and generally treats the MTM as a general-purpose secure execution environment. However, the security hole comes in equation 2, e = v XOR S. Here, v should be secret and S is a known hash of the application. It should be obvious that one can evaluate e XOR S and recover v, thus one can change the application and replace e with e’ = v XOR S’.

That seems such an obvious hole I must be missing something…

Google also mentioned that they will be initially targeting consumers, but they are also looking at addressing the corporate environment.

Trusted Client is a cost-effective, secure mobility solution that uses its own hardened and encrypted operating system. It solves the problem of allowing unmanaged machines to access corporate networks. The user simply inserts the IronKey with Trusted Client into their home PC, for example, re-boots, authenticates, and can then access the corporate network, applications and data safely. The host PC hard drive and operating system are not touched so that no data can leak onto the host and no malware present can infect the network.

It can be seen at the upcoming RSA Conference and Information Security Show.

On a personal note, I wish we had something like that as our corporate notebooks are so loaded with bloatware that they become unusable, and on my last business trip I had to take both the corporate notebook and my own netbook to enforce the separation between personal and business activities.