[OLPC Security] Comments on the security properties of Scott's lease-delegation scheme
michael at laptop.org
Wed Jul 9 13:51:42 EDT 2008
Scott recently proposed that we extend our theft-deterrence lease scheme
with delegation features so that we can generate short leases on demand
from locally available infrastructure like school servers. This feature
permits countries to deploy theft-deterrence features more broadly
WITHOUT concurrently deploying global connectivity to the OLPC Global
Theft Deterrence Server (GTDS). Here are my thoughts on the security
implications of the proposal (and on what, _exactly_, we are proposing
to offer to our clients.)
1. If the attacker wishes to resell "working" laptops (rather than, say,
components), then deploying this scheme may force attackers to
circumvent theft-deterrence protections more quickly.
- Note: the scheme DOES NOT increase the cost to circumvent
2. As more trust is placed in local infrastructure, it becomes easier to
circumvent theft-deterrence protections.
- We now trust, for example, that the school server (XS) can keep
secrets from its users.
- If, in the future, the XS begins to generate time data trusted by
the XOs, then we will also be forced to trust that the XS can keep
correct time where, formally, we only trusted that XOs and the
GTDS could do so.
- We introduce change into a trusted code base. This change could
potentially fix latent bugs but seems more likely to me to
introduce new bugs.
3. The major security effects derive from rearranging and hopefully
reducing the support costs of the theft-deterrence system (e.g. by
exchanging the cost of providing connectivity to the OLPC GTDS for the
cost of maintaining public key infrastructure) rather than as a result
of any technical improvement in the security afforded by the design or
P.S. - Aspects of this mail incorporate personal feedback given to me by
More information about the Security