How about a BCP saying conforming implementations of a wide-variety of security-area RFCs MUST be open-source?
*ducks* On Fri, Sep 6, 2013 at 2:34 PM, David Conrad <d...@virtualized.org> wrote: > On Sep 6, 2013, at 2:06 PM, Måns Nilsson <mansa...@besserwisser.org> > wrote: > >> Right, because there's no way the NSA could ever pwn the DNS root key. > > It is probably easier for NSA or similar agencies in other countries > > to coerce X.509 root CA providers that operate on a competetive market > > than fooling the entire international DNS black helicopter cabal. > > Probably the wrong place to apply the paranoia. How much do you trust the > AEP Keyper HSM tamperproof blackbox hasn't had a backdoor installed into it > at the factory? > > > Audit and open source seem to be good starting points. > > Where feasible, sure. Unfortunately, the rabbit hole is deep. How many > billions of transistors are there in commodity chips these days? > > Regards, > -drc > >
