[Cryptography] The Trust Problem

Jerry Leichter leichter at lrw.com
Tue May 20 18:30:08 EDT 2014 

On May 20, 2014, at 2:19 PM, Thierry Moreau <thierry.moreau at connotech.com> wrote:

> On 2014-05-20 14:50, Jerry Leichter wrote:
> 
>> What should you demand to be convinced that you can use some software safely?
> 
> Please demand nothing from this vendor.
> 
> Simply ask yourself how you can share encrypted data "with the people you trust." If this undertaking made a breakthrough in this area, help us learn about their scientific publication explaining it (that would disclose a novel encryption key management scheme)....
You and Tom Ritter misunderstood my posting entirely.

I don't care about Mustbin specifically; it was just an example I happened to run across.  I'm asking *generally*:  How do you produce/gain trust in security software?  If you to say to people:  "Don't do your own crypto" - you're saying either "don't use crypto" or "use crypto someone else developed".  Presumably, you want the latter.  So *even for those who might be able to throw together some crypto software for themselves* ... how should they judge software that's out there?  (And of course the overwhelming majority of people couldn't possibly write their own crypto anyway....)

I'm specifically making this a two-party problem:  What should the software maker provide to help the software purchaser make a good decision?  It's also a problem that *good* software makers have to solve - the *bad* software makers don't care.  But of course it must be as difficult as possible for a *bad* software maker to make himself look like a *good* software maker.

BTW, "sharing with people you trust" could mean many things.  It might mean "people to who you've given an access key", in which case the problem is simple. 

                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140520/571dce24/attachment.bin>

More information about the cryptography mailing list