Without "trusted" hardware the user will always be able to override software "protections" designed to prevent arbitrary code execution. This is just another "leapfrog" in this arms race. Give me "trusted computing" where I control the keys and decide what software is "trusted" and I'd be fine w/ it. Otherwise, I'll take the current situation on personal computers because, at least, I can run arbitrary software. ("Don't turn my PC into an iPhone, bro!")

It's worse than that. The idea is to introduce pervasive and potentially legally-mandated "trusted computing".

NAP / NAC without trusted computing platforms on the client nodes is a stupid, pointless idea. Unless the client can be trusted not to lie about its "health status" there's no guarantee that the client isn't simply infected with something that's smart enough to hide from "health scans".

It seems like most everybody doesn't understand (or notice footnote 14 on page 5) that, in order for this to work, all the subject devices must have trusted processing capability. That means "TPM" chips, signed OS kernels / hypervisors, and the inability to run untrusted root-level code. Take a second to laugh at the idea that anyone will be able to introduce a bug-free hypervisor / TPM environment that can't run unsigned and untrusted code. After you're done laughing at that I'd recommend being angered at the notion of such a thing, since it will effectively eliminate control of the devices owned by consumers.. turning every device with a "clean bill of health" into a walled-garden appliance. As long as consumers own and control their general purpose devices there will never be a way to do what this paper describes. Frankly, I'm alright with that. We'd do a lot better to just assume that every device is untrusted and act accordingly.