From: Norman N. <nor...@gm...> - 2006-05-31 23:24:10
|
Hi Kent & all, The following question originated from trousers-users, but I think it's more related to trousers-tech, so sorry for mailing both lists. The question is: since Tspi_Context_UnregisterKey doesn't require any authorization, any user can write a simple program to delete all the keys on a system. This will cause a denial-of-service attack. Shouldn't it require authorization? Thanks, Norman ========================== From: Kent Yoder <shpedoikal@gm...> * Re: Tspi_Context_UnregisterKey question * 2006-05-30 08:28 <tro...@li...> Hi Fabio, Auth is not taken into account when registering or unregistering a key, either in user or system persistent storage. Kent On 5/29/06, Fabio Gullo <fabiogullo@gm...> wrote: > > Hi, > > as far as I can see from the TCG specifications, the method > Tspi_Context_UnregisterKey(), used to unregister a key from the persistent > storage, doesn't require any information about the parent key. What happens > if I try to unregister a key whose parent requires authorization? Suppose, > for instance, that I registered a key K under the SRK. Am I allowed to > unregister K, without knowing the authorization value for the SRK? > > Regards, > > Fabio -- Kent Yoder IBM LTC Security Dev. <tro...@li...> |