The fourth installment of InTrust has made it out of Beijing and is currently being held at Royal Holloway, University of London. The first day featured three contributed talks balanced by three keynotes and a panel session.
For me, the highlights of the day were a practical demonstration of Nicolai Kuntze, who showcased their implementation of establishing trusted connections in mobile ad-hoc networks leveraging Trusted Platform Modules (TPMs). The interconnections of three nodes in the lecture theatre (two embedded ones with a hardware TPM and a laptop with a simulated TPM) were displayed and updated in real-time on the projector. Once the software configuration of one of the embedded nodes was changed to a non-trusted setup (by connecting a USB stick to it which in turn led to the execution of non-trusted code), its TPM detected this change via updates to its PCR(s), which in turn locked out use of the communication key and caused the other two participants of network to drop their connection to the node and to reject future attempts by it to reconnect. Amazingly enough, the demo went on smoothly to all our surprise (and at most Nicolai's). I guess the demo effect is already on Christmas break :-)
The second highlight was the panel discussion of Charles Brookson, Nicolai Kuntze, Kenny Paterson and Graeme Proudler (chaired by Shin'ichiro Matsuo) about mobile device trust. The participants shared a rather pessimistic view on the adoption of sound security mechanism in future mobile devices, as security is often not regarded as a primary goal of a device/system, but rather as a cost factor which needs to be minimized (or eliminated). Only in area's where the major stakeholders are actively aware of the security issues, adoption of security is facilitated. One example given was the "bring your device to work" use case, where companies have a vested interest in keeping their infrastructure secure despite having connections to employee's devices not under the company's control on the one side, and employee interests of keeping their personal data on the device protected from access of the company.