These refer to the FAQ as of 2003 Dec 15.

Under “Strong process isolation” they say “Users can wall off and hide pages of main memory so that each nexus-aware application can be assured that it is not modified or observed by any other application or even the operating system.”
Note that until they provide and describe some program that you can instruct to do such operations, the user cannot do so. Not even a programmer can until they describe a software interface. Not even a programmer at the privileged level can until the hardware is specified. I don’t complain; it is awkward to use a future contingent tense while saying what you plan to do, but three gaps in the current technology definition are thus evident to me.

Attestation as described here and elsewhere would seem to support the following pattern. An agent running in some environment that it trusts can sense that some channel to which it holds a capability, is a safe hole to crawl thru. To crawl thru a hole is to send code thru the channel expecting it to be executed in a new environment with a capability to the other end of the channel. To be safe means that known security rules will be in place in the new environment. The agent can condition this on the version or implementer of the new environment. After the agent’s code is running at the other end we view the agent as distributed. The agent can still choose, however, to limit trust within its own distributed components based perhaps upon reputation of remote platforms.

Under “What is the privacy model associated with NGSCB?” they say “The technology being developed as part of NGSCB provides a fine-grained access control model that allows users to specify (by hash) whether a given nexus has the right to invoke a specific security operation.”. I presume that they mean by hash, the hash of the nexus code at the point that it first gets control.

Concerning “The AES symmetric key”, they could say that the SSC has the only copy. I think that they mean to. On the other hand they speak of the backup problem and how an external copy of the “unique” AES key would be used to decipher backup data upon catastrophe. This is a user trade-off, but what does the user do to cause there to be a copy of the AES key?