Building Trust From the User On Up
Opinion: The Trusted Computing Group is addressing mobile phone security by employing "use case" methodology to craft a specification.The Trusted Computing Group announced its plans on Tuesday to "enable trust and security in mobile phones and their applications." The organization has created a set of use cases for mobile phone security and intends to have a publicly available specification based on these cases ready for dissemination in the first half of 2006. TCGs mobile phone workgroup includes Authentec, Ericsson, France Telecom, IBM, Infineon, Intel, Lenovo, Motorola, Nokia, Philips, Samsung, Sony, STMicroelectronics, Texas Instruments, VeriSign, Vodaphone and Wave Systems. They want to make mobile devices part of this trusted network, which makes perfect sense. Commerce does not happen just on desktops, after all. But the method they are using to devise the specifications for mobile devices is somewhat unusual for this kind of group: Theyre going from the bottom (user) upwards to the network. Theyre using the use case methodology.
- Platform integrity to ensure the hardware and software are in a state intended by the manufacturer.
- Device authentication to protect and store identities of users and bind the device to the appropriate user.
- Digital rights management implementation to protect content on the phone.
- SIMlock/device personalization to ensure a device is locked to its network and prevents device theft.
- Secure software download to enable the safe download of updates, patches and other software.
- Secure channel between the device and UTMS Integrated Circuit Card (UICC) to help avoid malicious software that can interfere with applications or otherwise compromise it.
- Mobile ticketing to enable the secure download of tickets and manage them.
- Mobile payment to enable the secure execution of payments.
- Software use to ensure that software is safe and if not, can be removed, replaced or not executed.
- User data protection and privacy to allow users to prevent their information from being accessed or viewed by unauthorized entities and to give users access to services or data that might not require personal information.