[Cryptography] Security clearances and FOSS encryption?
John Kelsey
crypto.jmk at gmail.com
Wed Jul 9 12:18:56 EDT 2014
To the extent clearances do what they're supposed to do, they should indicate less risk of compromise to the project--less blackmail or bribery potential, for example. An ongoing relationship with someone who wants to compromise the project (which could be NSA, or a US govt contractor, or another country, or a criminal organization, or ...) is a potential problem, but no one trying to infiltrate your project will tell you about those.
We have a kind of instinctive security notion of wanting to build a nice big wall with bad guys outside and good guys inside, but that doesn't really work too well. Instead, we need processes that don't rely overmuch on any one person's integrity or competence. (That protects against errors as well as malfeasance.)
--John
More information about the cryptography
mailing list