In particular, enterprises looking at implementing trusted computing systems have to know who manages the trust and -- since the whole purpose of the exercise is to deny any form of access to the untrustworthy user, program or data -- how the trust mechanism can be made 100% reliable so that failures here don't disable the entire system.
Some of the mechanisms of trust have been publicly discussed. Microsoft has said that Palladium will be complementary to existing strategies, such as the Trusted Computing Platform Alliance or TCPA. This is an agglomeration of 170 companies, led by HP/Compaq, IBM, Microsoft and Intel. TCPA is working towards a system that can establish that a computer is trustworthy, and to identify any tampering with the system -- so a previously authenticated computer can't have unchecked software or hardware added to it which might compromise its security. It also encompasses the use of public key infrastructure, smart cards and VPNs.
TCPA sets out to assure three major aspects of trusted computing -- that users of a system know who they are talking to and what it is; that information is transferred accurately, and that privacy from snoopers is maintained.
TCPA talks about integrity metrics, which are fingerprints or descriptions of characteristics of aspects of a computer or a network. They are used to prove that an individual component -- such as a BIOS or a secure portion of the operating system -- is known to be trustworthy, both in the sense that it is what it claims to be, and that it hasn't been tampered with.
Once the metric of one item is known, it can extend the list of things it trusts throughout the system by checking each in turn. The BIOS boot block checks the hardware specification of the PC against a known safe metric, and if that pans out it asks the user to authenticate themselves. It then checks the operating system loading software. The OS loader, once proven safe, checks the OS kernel. This knows how to check the list of legitimate software, which in turn can use OS resources to authenticate local and remote data.
That builds a trusted stand-alone system. The question of whether to trust a remote platform is an extension of this process: integrity metrics are obtained for the remote platform and securely stored. These can include a hash -- an algorithmically derived number unique for a certain configuration -- which is digitally signed by the remote platform. Any attempt to tamper with this will change the hash number, which then won't match the trusted version held locally by the system trying to authenticate the remote platform.
A side effect of relying on digitally signed metrics floating around the Internet is that there's a possibility they'll be intercepted and used to find out about the configuration of the platforms they describe. To that end, the TCPA allows for a security proxy called an Authenticated Anonymity Website. This is a trusted third party site that will provide a user with credentials in the form of a certification: this says that the user is known and trusted, but contains no information about the user that can be otherwise used. Anyone wishing to transact with the user can do so anonymously.
TCPA specification 1.1 was released in July last year, at www.trustedcomputing.org, with version 2 being created at the moment. By promoting the concept of a trusted subsystem and chains of trust between those systems, it has a good chance of becoming the basic building block for bigger, more ambitious concepts such as Microsoft's Palladium.