[OLPC Security] Comments on the security properties of Scott's lease-delegation scheme

[Benjamin M. Schwartz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I find this e-mail is vague to the point of incomprehensibility.

Michael Stone wrote:
| 1. If the attacker wishes to resell "working" laptops (rather than, say,
| components), then deploying this scheme may force attackers to
| circumvent theft-deterrence protections more quickly.

Vague.  What do attackers have to do more quickly?  Clearly reprogamming
the SPI flash can be done even after all the timeouts expire, so you must
be thinking of something else.

| 2. As more trust is placed in local infrastructure, it becomes easier to
| circumvent theft-deterrence protections.

In places without an internet uplink, there is presently no
theft-deterrence protection to circumvent.  This would introduce some.
Schools with internet access need not alter their operations at all.

| 3. The major security effects derive from rearranging and hopefully
| reducing the support costs of the theft-deterrence system (e.g. by
| exchanging the cost of providing connectivity to the OLPC GTDS for the
| cost of maintaining public key infrastructure) rather than as a result
| of any technical improvement in the security afforded by the design or
| the software.

I would say that the main security effects derive from introducing theft
deterrents in places without internet access.  Currently, there is no
technical deterrent to theft in these schools.

Calling this an exchange of connectivity for PKI is bizarre.  There is
only an "exchange" if schools that would have had internet access will be
denied it as a result of this infrastructure.  From my contact with
deployment teams, that seems tremendously unlikely.

- --Ben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkh0/twACgkQUJT6e6HFtqSu7QCfQJLR8gRduC5y8nMtbKRJk9ll
BE8Ani3pDkhjcc39YCGREl1OKTX6j+S7
=cW7c
-----END PGP SIGNATURE-----