On Mon, 18 Sep 2000, Kerry L. Bonin wrote:
To one extent, this has already happened. Under 15 CFR Part 740.13, in order to distribute public domain / open source cryptographic software without the classic restrictions under ITAR, you have to register yourself by sending an email to the NSA (well, the BXA address whose office happens to be in Ft. Meade.)
So we already have mandatory registration for open source crypto developers.
Hm. That's true, but it's not in the spirit of what I meant. I was thinking more along the lines of something tied to legal liability for defects. That is, the registration/licensing comes about more "organically" instead of being called into being straight by regulation.
If key escrow legislation finally passes, they've got the list of individuals and companies to lean on, and imagine thats where licensing will come in.
Yup, any such list is dangerous - although the pressure may not come from key escrow per se, but from businesses who become fed up with security being "not the vendor's problem." As in "show us that all your crypto engineers and subcontractors are properly licensed." Maybe you can think of this as touching on reputation management or credential management, although I expect most Professional Engineer certs are issued to True Names. Schneier has made the point several times that vendors do not provide strong security because they generally aren't liable for the consequences. I tend to agree with him. My worry is what the world will look like after more people agree with him and then try to "fix" things their way. By the way, I am glad to hear from Choate that licensing is not as draconian as I thought down in Texas. My apologies for the scare; I suspect I was reading too much into the ACM reports about "Licensing of Professional Engineers." Thankfully, the ACM seems to be resisting such moves for now (see second link), but who knows about five years down the line. (Bureaucratic inertia is no reason for complacency; I remember reading in WIRED of 1995 or thereabouts of a "Digital Copyright Working Group" about to convene and study the Internet "problem." Then nothing. Five years later, the U.S. has the DMCA.) In fairness, "vendors don't provide security because they don't have to" seems to be a symptom of a larger issue with liability for software, especially software sold to us mass market consumers. I expect markets exist in which software has to be held to an extremely high standard of reliability (e.g. Space Shuttle, financial markets, health software, embedded systems spring to mind). How are liability issues dealt with in those fields, and how did they come to be that way? would the same thing happen with crypto and security software? (how do I ask that question better, because it seems too vague now?) Thanks, -David