On Tue, Aug 13, 2002 at 11:55:24PM -0700, Brian A. LaMacchia wrote: | Adam Shostack <[EMAIL PROTECTED]> wrote: | > On Mon, Aug 12, 2002 at 12:38:42AM -0700, Brian A. LaMacchia wrote: | >> There are two parts to answering the first question: | >> | >> 1) People (many people, the more the merrier) need to understand the | >> code and what it does, and thus be in a position to be able to make | >> an informed decision about whether or not they trust it. | >> 2) People reviewing the code, finding security flaws, and then | >> reporting them so that we can fix them | >> | >> These are two very different things. I don't think that anyone | >> should count on the goodwill of the general populace to make their | >> code proveably secure. I think that paying people who are experts at | >> securing code to find exploits in it must be part of the development | >> process. | > | > How are these different? If I'm understanding the code to decide if I | > trust it (item 1), it seems to me that I must do at least 2A and 2B: | > 2C is optional :) | > | > Or are you saying that (2) is done by internal folks, and thus is a | > smaller set than (1)? | | Yeah, I wasn't very clear here, was I? What I was trying to say was that | there's a difference between understanding how a system behaves technically | (and deciding whether that behavior is correct from a technical perspective) | and understanding how a system behaves from a policy perspective (e.g. | social process & impact). Those are two completely different questions. 2) | is all about verifying that Palladium hardware and software components | technically operates as it is spec'd to. 1) is about the larger issue of | how Palladium systems interact with service providers (CAs, TTPs), what | processes one goes through to secure PII, etc. The two groups of people | looking at 1) and 2) have non-zero intersection but are not equal. And, | just to be clear, 2) is *not* done only by internal folks, but I expect that | the size of the set of people competent to do 2) is significantly smaller | than the size of the set of people who need to think about 1). :-)
Hmm. Lessig would argue that they are not two different questions, but tightly coupled ones. Have you read his books? I found them worth the time, and a fun read to boot. I had at least one deep aha moment per book. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]