[Cryptography] The Trust Problem
Jerry Leichter
leichter at lrw.com
Tue May 20 18:30:08 EDT 2014
On May 20, 2014, at 2:19 PM, Thierry Moreau <thierry.moreau at connotech.com> wrote:
> On 2014-05-20 14:50, Jerry Leichter wrote:
>
>> What should you demand to be convinced that you can use some software safely?
>
> Please demand nothing from this vendor.
>
> Simply ask yourself how you can share encrypted data "with the people you trust." If this undertaking made a breakthrough in this area, help us learn about their scientific publication explaining it (that would disclose a novel encryption key management scheme)....
You and Tom Ritter misunderstood my posting entirely.
I don't care about Mustbin specifically; it was just an example I happened to run across. I'm asking *generally*: How do you produce/gain trust in security software? If you to say to people: "Don't do your own crypto" - you're saying either "don't use crypto" or "use crypto someone else developed". Presumably, you want the latter. So *even for those who might be able to throw together some crypto software for themselves* ... how should they judge software that's out there? (And of course the overwhelming majority of people couldn't possibly write their own crypto anyway....)
I'm specifically making this a two-party problem: What should the software maker provide to help the software purchaser make a good decision? It's also a problem that *good* software makers have to solve - the *bad* software makers don't care. But of course it must be as difficult as possible for a *bad* software maker to make himself look like a *good* software maker.
BTW, "sharing with people you trust" could mean many things. It might mean "people to who you've given an access key", in which case the problem is simple.
-- Jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140520/571dce24/attachment.bin>
More information about the cryptography
mailing list