[Cryptech Tech] design software

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Jan 20 00:02:35 UTC 2016


[If people don't want to see more of this debate, let me know]

>For security critical things (everything from HSM's to barbie dolls
>nowadays), we want a small core-team of developers and a large audience
>(something in the order of magnitude of at least 100) of people who can audit
>it.

You need to distinguish though between "can audit" and "will audit".  If you
want to create the presumption of auditability then by all means use some sort
of open format.  However, if existing practice is anything to go by, no-one
will ever audit the code.  They may glance through it (which is how some
existing bugs were found, both the PGP and GPG bugs were found more or less by
accident), but it'll never get audited unless you pay a third party to do it
(in which case they will presumably have whatever tools are needed for the
job).

It just doesn't seem like a good idea to constrain the developers into using
inferior tools in order to accommodate an event that will almost certainly
never happen.

Peter.


More information about the Tech mailing list