<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Nov 18, 2014 at 9:56 PM, Salz, Rich <span dir="ltr"><<a href="mailto:rsalz@akamai.com" target="_blank" onclick="window.open('https://mail.google.com/mail/?view=cm&tf=1&to=rsalz@akamai.com&cc=&bcc=&su=&body=','_blank');return false;">rsalz@akamai.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span>> What the hell does that mean? "As much as possible" sounds to me like "not<br>
> everything".<br>
<br>
</span>Yes, it means that ISRG will not commit to making every single bit of source available. For example, the system might use a RAID disk whose controller is private source. Or it might use a tamper-proof HSM where the vendor does not give out the source. And for most of the people in the world, that will be okay. But one or two with loud voices will complain "you promised to give all the source."<br>
<br>
So ISRG is setting realistic and achievable goals.<br></blockquote><div><br></div><div>Totally with you. Since that's the case, even a small sentence tweak to add an "e.g. HSM firmware" might help steer people's brains onto the good-faith track as they read it.</div><div><br></div><div>I was touring over the GitHub organization for /letsencrypt, and it was missing code for the server. I emailed someone on the project about whether it would be open sourced and they said yes. Like of course.</div><div><br></div><div>EFF's apparently been working on this (in the dark) since May 2012, when it was originally specced out as the "Chocolate protocol":</div><div><br></div><div><a href="https://github.com/letsencrypt/lets-encrypt-preview/commit/a07e36e1d1b6c5d948cbf490656f21e165154dc6" target="_blank">https://github.com/letsencrypt/lets-encrypt-preview/commit/a07e36e1d1b6c5d948cbf490656f21e165154dc6</a><br></div><div><br></div><div>EFF sure enjoys making the biggest media splash possible, but it's impossible to imagine EFF and Mozilla working on anything where the core components that *they* write on a security system aren't open source.</div><div><br></div><div>If LE works, it's going to radically transform the CA landscape, and it will do it through open souece and principled protocol design.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Sometimes the attitudes expressed by colleagues in my field depress me.<br></blockquote><div><br></div><div>The work done by some of my colleagues in my field awes me.</div><div> </div><div>-- Eric</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<span><font color="#888888"><br>
/r$<br>
</font></span><div><div><br>
--<br>
Principal Security Engineer, Akamai Technologies<br>
IM: <a href="mailto:rsalz@jabber.me" target="_blank" onclick="window.open('https://mail.google.com/mail/?view=cm&tf=1&to=rsalz@jabber.me&cc=&bcc=&su=&body=','_blank');return false;">rsalz@jabber.me</a> Twitter: RichSalz<br>
<br>
_______________________________________________<br>
The cryptography mailing list<br>
<a href="mailto:cryptography@metzdowd.com" target="_blank" onclick="window.open('https://mail.google.com/mail/?view=cm&tf=1&to=cryptography@metzdowd.com&cc=&bcc=&su=&body=','_blank');return false;">cryptography@metzdowd.com</a><br>
<a href="http://www.metzdowd.com/mailman/listinfo/cryptography" target="_blank">http://www.metzdowd.com/mailman/listinfo/cryptography</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr"><div><a href="https://konklone.com" target="_blank">konklone.com</a> | <a href="https://twitter.com/konklone" target="_blank">@konklone</a><br></div></div></div>
</div></div>