[Cryptography] Security clearances and FOSS encryption?

[ianG]

On 15/07/2014 19:56 pm, Rick Smith, Cryptosmith wrote:
> Does anyone appreciate the irony?


Right, we get the security clearance signal confused from an offense and
defence pov.


> If we wish to exclude people with security clearances from FOSS projects, we need our own process for doing background checks. If the person passes the background check, we issue our own security clearance to work on our project.


I would adjust that slightly:  *If you are a target*, you have to
respond, or be owned.  The typical method is to to do a background check
[0].


> Is this what the FOSS community is going to want?

Different community.  Here, in this mail list, we write crypto security
code.  Not necessarily FOSS?  Many commercial companies face the same
issues.

> I'd like us to recall earlier discussions - we can't predict which contributors are going to try to subvert our software, even with background checks. How do we cope? The same way we cope with other flaws in the code: we review, test, repeat.

Indeed.  Security clearances are a signal, only.  What is a signal?  It
is a message that is interpretable and misinterpretable.

That said, it represents a very good foil from which to construct a
conversation, leading to an ethical approach.  You only have to ask.

That's all we do, we ask:  "do you have a security clearance?  Do you
have any relationship to police?  Intelligence?  Law?  So, tell us about
that?  What responsibilities?  Is there a conflict of interest here?"



iang

[0]  Quite what you do, how you do it, what to look for, ... is beyond
scope.  But if anyone's got a real issue here, feel free to ping me.