[OLPC Security] Comments on the security properties of Scott's lease-delegation scheme

[Michael Stone]

Scott recently proposed that we extend our theft-deterrence lease scheme
with delegation features so that we can generate short leases on demand
from locally available infrastructure like school servers. This feature
permits countries to deploy theft-deterrence features more broadly
WITHOUT concurrently deploying global connectivity to the OLPC Global
Theft Deterrence Server (GTDS). Here are my thoughts on the security
implications of the proposal (and on what, _exactly_, we are proposing
to offer to our clients.)

1. If the attacker wishes to resell "working" laptops (rather than, say,
components), then deploying this scheme may force attackers to
circumvent theft-deterrence protections more quickly.
 
   - Note: the scheme DOES NOT increase the cost to circumvent
     existing protections.

2. As more trust is placed in local infrastructure, it becomes easier to
circumvent theft-deterrence protections.

   - We now trust, for example, that the school server (XS) can keep
     secrets from its users.

   - If, in the future, the XS begins to generate time data trusted by
     the XOs, then we will also be forced to trust that the XS can keep
     correct time where, formally, we only trusted that XOs and the
     GTDS could do so.
   
   - We introduce change into a trusted code base. This change could
     potentially fix latent bugs but seems more likely to me to
     introduce new bugs.

3. The major security effects derive from rearranging and hopefully
reducing the support costs of the theft-deterrence system (e.g. by
exchanging the cost of providing connectivity to the OLPC GTDS for the
cost of maintaining public key infrastructure) rather than as a result
of any technical improvement in the security afforded by the design or
the software.

Comments?

Michael

P.S. - Aspects of this mail incorporate personal feedback given to me by
Ivan.