[Cryptography] Security clearances and FOSS encryption?

John Kelsey crypto.jmk at gmail.com
Sat Jul 12 09:29:06 EDT 2014


> On Jul 11, 2014, at 7:20 AM, ianG <iang at iang.org> wrote:
> 
>> On 9/07/2014 17:18 pm, John Kelsey wrote:
>> To the extent clearances do what they're supposed to do, they should indicate less risk of compromise to the project--less blackmail or bribery potential, for example.
> 
> 
> Well, there are clearances that we do on our people, and the clearances
> that our enemy does on his people.  We're talking about the latter, so
> following your train of thought, we are dealing with (a) a signal of
> something, and (b) people who are already compromised ... by the issuer
> of the clearance, aka, the enemy.

There isn't *one* enemy sitting in Ft Meade (or Mordor).  There are hundreds of potential enemies. Blackmail and bribery are generic techniques that can be used to compromise people--they can be used by the US government, foreign governments, private criminals, activists, *anyone*.  If the security clearance investigation excludes the people who would have been most susceptible to those techniques, then having passed it adds some value.  How much?  That, I don't know.  

>> but no one trying to infiltrate your project will tell you about those.  
> 
> Sort of, maybe.  Actually, anyone infiltrating your project will set it
> up so they don't need to tell you.
> 
> Very different thing.  You simply have to respond by making it mandatory
> for them to state such things.  It's a common thing to have a policy
> requiring conflicts of interest to be disclosed, indeed it is even law
> in some circumstances.

Maybe you should simply monitor packets coming from them to check if the evil bit is set?  If someone is a covert employee of the FBI on assignment to inflitrate your organization, they will not tell you about it.  Nor will they be the least bit worried about any court in the US upholding any kind of contractual obligation to tell you.  Similarly, if someone is under the thumb of the Chinese government thanks to those really revealing blackmail photos of their vacation in 
Thailand, they just aren't going to tell you who they are ultimately working for, because they *really* want to keep the guys holding those photos happy with them.  

Federal employees have to disclose conflicts of interest--there is a yearly declaration involving your investments and arrangements and planned jobs and such.  I guess many companies do the same thing.  And this is worthwhile for what it gives you--it probably helps keep people from getting into situations where their personal interests and their job is in conflict.  But it doesn't keep them from having some covert interest which they have decided not to disclose.  

> iang

--John


More information about the cryptography mailing list