Check out security expert Bruce Schneier's comments on Microsoft and the Trusted Computing Group which has issued a best practices document, Design, Implementation, and Usage Principles for TPM-Based Platforms. Acronyms: "TMP" refers to a hardware-based Trusted Platform Module . "TNC" refers to a software-only Trusted Network Connect specification. Snippets from the Schneier article:
The best-practices document doesn't apply to TNC, because Microsoft (as a member of the TCG board of directors) blocked it. The excuse is that the document hadn't been written with software-only applications in mind, so it shouldn't apply to software-only TCG systems.
This is absurd. The document outlines best practices for how the system is used. There's nothing in it about how the system works internally. There's nothing unique to hardware-based systems, nothing that would be different for software-only systems. You can go through the document yourself and replace all references to "TPM" or "hardware" with "software" (or, better yet, "hardware or software") in five minutes. There are about a dozen changes, and none of them make any meaningful difference.
The only reason I can think of for all this Machiavellian manoeuvring is that the TCG board of directors is making sure that the document doesn't apply to Vista. If the document isn't published until after Vista is released, then obviously it doesn't apply.