[KEYPROV] Open Software is NOT the answer
Anders Rundgren <anders.rundgren@telia.com> Sat, 13 November 2010 07:35 UTC
Return-Path: <anders.rundgren@telia.com>
X-Original-To: keyprov@core3.amsl.com
Delivered-To: keyprov@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9C8F13A69F3 for <keyprov@core3.amsl.com>; Fri, 12 Nov 2010 23:35:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.166
X-Spam-Level:
X-Spam-Status: No, score=-2.166 tagged_above=-999 required=5 tests=[AWL=-1.167, BAYES_50=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F-0a0oT2xjyC for <keyprov@core3.amsl.com>; Fri, 12 Nov 2010 23:35:44 -0800 (PST)
Received: from smtp-out12.han.skanova.net (smtp-out12.han.skanova.net [195.67.226.212]) by core3.amsl.com (Postfix) with ESMTP id 7BE583A69D5 for <keyprov@ietf.org>; Fri, 12 Nov 2010 23:35:44 -0800 (PST)
Received: from [192.168.0.201] (81.232.45.215) by smtp-out12.han.skanova.net (8.5.124.10) (authenticated as u36408181) id 4C7E0D49016583B0; Sat, 13 Nov 2010 08:36:18 +0100
Message-ID: <4CDE3FF1.2010103@telia.com>
Date: Sat, 13 Nov 2010 08:36:17 +0100
From: Anders Rundgren <anders.rundgren@telia.com>
User-Agent: Thunderbird 2.0.0.23 (X11/20090817)
MIME-Version: 1.0
To: KEYPROV <keyprov@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [KEYPROV] Open Software is NOT the answer
X-BeenThere: keyprov@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Provisioning of Symmetric Keys \(keyprov\)" <keyprov.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyprov>
List-Post: <mailto:keyprov@ietf.org>
List-Help: <mailto:keyprov-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Nov 2010 07:35:45 -0000
Or to be more correct. Open Source is quite important for establishing new technology but it is not enough for establishing something "KEYPROV-ish". Why is that? Because a provisioning protocol to be useful must be connected to a container and here we have a bunch of problems, particularly with respect to hardware devices. My own work in this space has been considerably crippled by the requirements of signed NDAs for just getting a data-sheet for suitable security hardware. If you publish software that operates with such a device, you are actually violating the NDA! The solution as I see it is developing new stuff using standard electronics and publish that as Open Security Hardware. For true smart card connoisseurs this probably sounds like a pretty bad idea. However, it might very well prove to be the opposite because it allows you creating a market for "de-luxe" tokens meeting stringent certifications, as well as for low-cost dittos that you can buy at "Wal-Mart", while still powered by the same protocols and middleware. It is all about reaching the critical mass of adoption, isn't it? The vendors (of course) do not have to publish anything, they would use the Open Security Hardware as a reference; they may even contribute to that part with additional tests since this part is quite important, but also boring and time-consuming. Another advantage with using standard electronics is that you can get away from the Wassenaar agreement because the low-cost version can be manufactured everywhere, including by countries that do not respect international crypto export laws. The latter are quite dubious anyway: nowadays terrorists are legal residents and can buy (or download) whatever they want. Anders
- [KEYPROV] Open Software is NOT the answer Anders Rundgren