On 7 sep 2013, at 00:02, Tim Bray <tbray@xxxxxxxxxxxxxx> wrote:
Well, there is something in there that makes sense. We do have a program in the world called Common Criteria. That certification program includes CCRA (CC Recognition Agreement) that implies that countries that run certification agencies agree that what is certified in one country by one such certification agency is also viewed as certified in all countries. This makes it possible to go also with closed source items to one such certification agency and get it certified according to a specification. Now, there are of course (at least) two weaknesses in this: 1. A certification must be against some certification testing. That is not an RFC, but the test itself might though refer to RFCs as for example "a router" is quite complicated and it is specifically important to know it does not do MORE things than what is specified in the certification testing specification. 2. How do one know that the certification agency is not lying. But I think this (or something similar) is still the best we can do and/or possibly what we should do. Also with open source software that "claim to implement gPGP" :-) Patrik |