[Cryptography] eliminating manufacturer's ability to backdoor users
Allen
allenpmd at gmail.com
Mon Feb 22 14:32:19 EST 2016
My thought that the hardware had to be non-identifiable only applied when
the hardware manufacturer could potentially be ordered to secretly install
spyware on a targeted machine.
The best solution I can come up with at the moment is the open source model
that allows everyone to audit what is being installed, combined with
binaries that are built using a repeatable process and signed by trusted
persons in a jurisdiction that doesn't permit government-ordered back doors.
I also think that in the long run law enforcement will succeed in getting
CALEA type laws passed that cover a wide variety of encryption, and force
technology providers to escrow keys for all encryption products. The only
solution to that problem I think is open source. At minimum, the best way
to deter adoption of a CALEA type law is to ensure everyone has other
alternatives so that the law would be ineffective, and that again points
toward open source.
I realize that is still susceptible to unintentional security
vulnerabilities and to back doors inserted into unauditable components such
as hardware and firmware.
Is there a better solution?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160222/938b8bad/attachment.html>
More information about the cryptography
mailing list