How about a BCP saying conforming implementations of a wide-variety of security-area RFCs MUST be open-source?
*ducks*On Fri, Sep 6, 2013 at 2:34 PM, David Conrad <drc@xxxxxxxxxxxxxxx> wrote:
On Sep 6, 2013, at 2:06 PM, Måns Nilsson <mansaxel@xxxxxxxxxxxxxxxx> wrote:
>> Right, because there's no way the NSA could ever pwn the DNS root key.
> It is probably easier for NSA or similar agencies in other countries
> to coerce X.509 root CA providers that operate on a competetive market
> than fooling the entire international DNS black helicopter cabal.
Probably the wrong place to apply the paranoia. How much do you trust the AEP Keyper HSM tamperproof blackbox hasn't had a backdoor installed into it at the factory?
> Audit and open source seem to be good starting points.
Where feasible, sure. Unfortunately, the rabbit hole is deep. How many billions of transistors are there in commodity chips these days?
Regards,
-drc