[Cryptography] Security clearances and FOSS encryption?

Kevin W. Wall kevin.w.wall at gmail.com
Thu Jul 17 02:04:18 EDT 2014


On Tue, Jul 15, 2014 at 2:31 PM, Rick Smith, Cryptosmith <me at cys.me> wrote:
> On Jul 15, 2014, at 1:00 PM, Phillip Hallam-Baker <phill at hallambaker.com> wrote:
>>
>> Exactly, the people to worry about are the people who don't declare their affiliations and/or clearances.
>
> And so, let me ask the community: is it a common practice in the FOSS community to produce a detailed dossier on all participants, or is participation based on the contributor's visible established net cred as a developer?
>
> I suspect it’s the latter but I have no idea what the general practice might be.

Mostly the latter.

I've been involved with several FOSS projects with OWASP (Open Web Application
Security Project; www.owasp.org) and I've never seen a case where people's
organizational affiliations and/or security clearances have even been asked let
alone questioned / second guessed. If anything, I think OWASP and other
FOSS organizations would have bigger concerns about company IP rights than
subterfuge by a spook. The main concern of OWASP on the 4 projects I've
been involved with is competency / expertise. Initially, until you
prove yourself,
many of the projects won't even grant you commit access to their main
code repository. You have to "prove yourself" first by maybe doing something
like fixing some bugs and attaching your fixes / patches to the ticket
describing
the bug and someone else then reviews it and does the commit. Eventually,
if you continue to contribute you are granted commit access.

I can't speak for other projects like Apache or Linux or whatever, but
for OWASP,
this is a common modus operandi, in part because volunteers are scarce and
experienced committed volunteers are even scarcer. All we do it make sure
that those contributing are willing to assign copyright over to the
OWASP Foundation
and accord their code and/or documentation one of the several approved FOSS
licenses (including Creative Commons for documentation). We make that
clear ahead of time, but even that is generally (in my experience) been a
formal process, but rather just an informal acknowledgment.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.


More information about the cryptography mailing list