Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Exactly, remote attestation is only acceptable on your own devices with remote attestation servers that you control.

For example, it would be completely fine to implement remote attestation where devices issued by companies to employees verify their TPM values with company's servers when connecting via VPN.

All other such activities directly infringe on ownership rights.



I don't see the value of remote attestation period. Especially when we talk about the mobile world which is a jungle where even the manufacturer itself doesn't have the full picture of all the code running on the device.

Yeah sure it's guarantees that the device is more or less similar as from the factory... and then what? What am I supposed to do with that information?


It can be valuable on devices *you own* with servers *you own* when the devices are not physically present (or even if they are).

You can get PCR values and decide if the device you are talking to is tampered with. That way, you can set a higher bar for hackers.

This is completely different to what this topic is about, I'm just saying that there is a case where it can be useful.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: