[E-Lang] ERTP-aware MintMaker

Jonathan S. Shapiro shap@cs.jhu.edu
Wed, 14 Feb 2001 23:27:30 -0500


Ah. I took "public" to mean "by independent parties", which was stupid
of me. Pardon, please, the result of my exhaustion.

Purely as a point of historical artifact, the documents for some of the
assurance reviews done by NSA have been made open in the sense that you
mean. I concur that public and open process is important.

> Your note most directly challenges my "This is the only process that can
> ever give real confidence in the security of a system."...

I agree that public confidence can only come from open, public process.
I'll still argue strongly that the process must not only be open and
public, but also rigorous and systematic.

Actually, on second thought, I don't agree that public confidence will
ever come from public process. Consider government as a counterexample.
The problem in security is that the public for the most part cannot
evaluate the process or the artifacts and so forms judgements on the
strength of reputation. I think the real key to your point is that
reputation cannot be cross-substantiated unless the process that
generates it is open and public.

> An open and public process... is less corruptable.

Excuse me, but when you say a thing like this there are two
interpretations possible. One is that you are raising an issue of
principle. In that regard I agree with the statement: in abstract any
open process is less corruptable than a closed process.

But the other possible interpretation is that you are reacting to some
specific corruption that you know to have occurred. If you have evidence
of such, please do disclose it, because we need to know. If you have no
evidence of such, then your words can be read as a slur on the people
who have done the existing processes. If so, it's the most damaging type
of slur, because nobody can defend themselves for fear of making
themselves look guilty. I really don't believe that you meant this, and
I would appreciate it if you might clarify.

> Remember the behind-closed doors reviews of Clipper?  Besides questioning
> their quality, people also questioned their honesty.  Whether they actually
> were honest is besides the point -- it was a valid concern.

It was a very valid concern, but we need to be careful to distinguish
between issues of lack of confidence and issues of lack of integrity.

> If I had to choose, I'd take "open public" over "rigorous"
> any day.

I would not. The fact that a man proclaims over the radio that the sky
is falling, or that a system is secure, does not make it true. I also
want open and public, but rigorous and systematic is utterly necessary.

Jonathan