[Cryptography] eliminating manufacturer's ability to backdoor users

[Allen]

My thought that the hardware had to be non-identifiable only applied when
the hardware manufacturer could potentially be ordered to secretly install
spyware on a targeted machine.

The best solution I can come up with at the moment is the open source model
that allows everyone to audit what is being installed, combined with
binaries that are built using a repeatable process and signed by trusted
persons in a jurisdiction that doesn't permit government-ordered back doors.

I also think that in the long run law enforcement will succeed in getting
CALEA type laws passed that cover a wide variety of encryption, and force
technology providers to escrow keys for all encryption products.  The only
solution to that problem I think is open source.  At minimum, the best way
to deter adoption of a CALEA type law is to ensure everyone has other
alternatives so that the law would be ineffective, and that again points
toward open source.

I realize that is still susceptible to unintentional security
vulnerabilities and to back doors inserted into unauditable components such
as hardware and firmware.

Is there a better solution?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160222/938b8bad/attachment.html>