D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management

In this deliverable, Trusted Computing (TC) technology is introduced to the reader, with an overview of the main concepts, functionalities and features of general TC hardware and software. The overview includes also the TC specifications of the Trusted Computing Group – a specification and standardization body dedicated for Trusted Computing – in addition to other industrial and academic efforts and projects for further development of the technology. After touching on some application scenarios and social and legal aspects of TC, we shed the light on implications of TC on identity and identity management with regard to enhancing digital identification, possible consumer privacy violation, and providing anonymity in TC-based infrastructures. We propose ideas on how the TC concepts and features can influence identification, identity management systems, privacy and anonymity. We then give a brief use case scenario of TC-based identity management across several domains of identification. 

TC is a new technology aimed at bringing trust in computing platforms to a higher level by providing evidence about the integrity of a platform to both, the platform’s owner and to arbitrary third parties. While the concepts underlying Trusted Computing date back to the 1960s, the technology emerged when adopted by the Trusted Computing Group (TCG), formerly the Trusted Computing Platform Alliance (TCPA).

The three main components of the TCG proposal are under focus, namely the Trusted Platform Module (TPM), a tamper-resistant hardware chip, a kind of (protected) pre-BIOS called the Core Root of Trust for Measurement (CRTM), and a support software called TCG Software Stack (TSS). Those are continuously subject to research, development and implementations by TPM Manufacturers, system integrators and leading industrial and academic open-source projects.

Although TC seems to be a promising technology, some aspects of it still raise problems and reservations from consumers, but also from academic researchers. The fears lie in several aspects like the possibility of restrictive digital content control by content providers by means of technologies such as Digital Rights Management, “lock-in” of specific software on consumer platforms by software providers, restricting the installation of similar software and reducing interoperability, and consumer privacy breach due to some specified protocols requiring disclosure of identification information to Trusted Third Parties. From a legal perspective, some possible implications of TC might not be completely conformant with legislations such as the Copyright Act and the Competition Act.

Nevertheless, TC seems to give ground for new business use cases in various fields such as Distributed Policy Enforcement, secure end-user systems and embedded security. In particular, TC can present advantages in the areas of Identification and Identity Management, and can enable new solutions in those fields. Some features and protocols defined by the TCG can have substantial effect on various aspects of identification and can hence enable new business cases. Functionalities can also affect anonymity aspects using TC-based platforms; other can enhance identification depending on the use of the features.

For this reason, national security agencies, industrial and standardisation bodies as well as the research community are all encouraged to further investigate the advantages of TC with respect to digital identity, identification and identity management, and to envision more developed use cases of the technology.