Monday, January 14, 2008

Will end users ever generate pull-through demand for TPM?

For a year and half in my security PM role (and longer before I got here), we have struggled selling TPM (Trusted Platform Module) as a feature in commercial desktop and notebook PC's.  Outside of military and other government accounts, customers simply don't know what a TPM is (even those that should) or what benefits that can arise from having one.  My honest answer - today, there isn't much benefit.  Sure, you have hardened security for storage of encryption keys and certificates, true random number generation.  But how important is that?  Who cares?

The TCG (Trusted Computing Group) and in many respects the OEMs shipping TPMs, are simply putting too much effort into the technical features of the TPM and too little effort into the benefits.  And its not simply a messaging problem.  The true problem is that there simply aren't enough benefits today.  There isn't a robust ecosystem that supports/uses a TPM and provides compelling value to a customer.  Apple has figured out one way to push TPM demand - OS X simply won't boot on a system without a TPM (presumably containing an EK and Apple platform credential).

Until Microsoft ties Windows licensing to the TPM, or media providers (music/movie studios, etc.) tie content (or content permissions) to the TPM, then I don't see wide spread adoption until the "Trusted Internet" becomes a reality (IF it ever does).  In either case, I don't think TPM will be an explicit request.  Rather it will become as ubiquitous and SuperIO, North/southbridge, etc - where a customer doesn't demand TPM but demands the functionality gained with a TPM.