[Cryptography] The Trust Problem
Dave Horsfall
dave at horsfall.org
Wed May 21 17:41:26 EDT 2014
[ Apologies in advance if I seem to be repeating this story; I'm having
network problems.]
On Tue, 20 May 2014, Jerry Leichter wrote:
> I'm specifically making this a two-party problem: What should the
> software maker provide to help the software purchaser make a good
> decision? It's also a problem that *good* software makers have to solve
> - the *bad* software makers don't care. But of course it must be as
> difficult as possible for a *bad* software maker to make himself look
> like a *good* software maker.
At a minimum, source code. If the provider isn't willing to make it
available (even under NDA) then why should you trust them? You can always
compile it yourself, which is why I use FreeBSD/Linux and not Windows.
Of course, as was pointed out in the seminal paper "Reflections on
trusting trust", you need to trust your compiler. I'm told that a
trojaned C compiler escaped from BBN, but thankfully it runs on hardware
that you'll only find in a museum these days (a Plexus P40, IIRC).
Also has an interesting take on self-reproducing programs.
-- Dave
More information about the cryptography
mailing list