Industry Insights: The Trusted Computing Dilemma

Several proprietary approaches to this type of policy enforcement are available. Our Feb. 19 "On Location" case study discussed the University of Florida's Icarus software, which enforces network policies by monitoring traffic and removing machines from the network when they misbehave. The InfoExpress CyberGatekeeper, which we reviewed in the same issue, is also designed to enforce network policies.

The Trusted Computing Group (www.trustedcomputing group.org), an industry standards organization, is using 802.1X, RADIUS and EAP in a methodology it calls "Trusted Network Connect" (contributing editor Robert Moskowitz details its efforts in "Can Trust Be Put Into Computing?,"). The group demoed the technology at NetWorld+Interop in Las Vegas last week; you'll find a primer here.

Who's in Control?

But what if the user's computer is no longer controlled by the network admin? Instead, the applications on that computer must meet a policy set by your hardware and software vendors, if you want their ongoing support. This "trusted computing" scheme would be great for ensuring that software is licensed properly and hasn't been tampered with, and for running distributed applications on unknown computers, but it also could be abused by those implementing it.

In "Trusted Computing: Promise and Risk", Electronic Frontier Foundation staff technologist Seth Schoen provides some hypothetical scenarios that don't bode well for trusted computing, at least not from the user's side. He envisions situations in which external parties dictate which software your machines run. Microsoft's IIS could restrict communication to Internet Explorer, for example, or AOL could force people to use only its IM client.Schoen proposes a solution to this problem, in the form of "owner override," which would let the computer owner detect illicit activity on his or her computer but would also let the user "fake" compliance with software or hardware policies at his or her discretion. The Opera browser could identify itself as Mozilla or IE, for example. This would have negative implications for organizations that require DRM (digital-rights management) compliance, however. The override option would also limit trust for distributed apps.

Trusted computing won't do the trick unless it benefits us, the technology end users. If it also happens to help the vendors, that's OK. But if the vendors are going to use it to prevent the free and open use of computing systems, we're in for a world of trouble. There has to be a happy medium.

Mike Lee is NETWORK COMPUTING's editor. Write to him at [email protected].