CDR: RE: was: And you thought Nazi agitprop was controversial?
At 02:42 PM 9/18/00 -0400, dmolnar wrote:
Here's another link on licensing of software engineers, this time from the ACM:
http://www.acm.org/serving/se_policy/report.html
it seems that cryptographic/security software, if we ever get the liability structure whose lack is often pointed out by Schneier ("we don't have good security because we don't have to"), may be a prime target for such licensing.
-david
To one extent, this has already happened. Under 15 CFR Part 740.13, in order to distribute public domain / open source cryptographic software without the classic restrictions under ITAR, you have to register yourself by sending an email to the NSA (well, the BXA address whose office happens to be in Ft. Meade.) So we already have mandatory registration for open source crypto developers. If key escrow legislation finally passes, they've got the list of individuals and companies to lean on, and imagine thats where licensing will come in.
On Mon, 18 Sep 2000, Kerry L. Bonin wrote:
To one extent, this has already happened. Under 15 CFR Part 740.13, in order to distribute public domain / open source cryptographic software without the classic restrictions under ITAR, you have to register yourself by sending an email to the NSA (well, the BXA address whose office happens to be in Ft. Meade.)
So we already have mandatory registration for open source crypto developers.
Hm. That's true, but it's not in the spirit of what I meant. I was thinking more along the lines of something tied to legal liability for defects. That is, the registration/licensing comes about more "organically" instead of being called into being straight by regulation.
If key escrow legislation finally passes, they've got the list of individuals and companies to lean on, and imagine thats where licensing will come in.
Yup, any such list is dangerous - although the pressure may not come from key escrow per se, but from businesses who become fed up with security being "not the vendor's problem." As in "show us that all your crypto engineers and subcontractors are properly licensed." Maybe you can think of this as touching on reputation management or credential management, although I expect most Professional Engineer certs are issued to True Names. Schneier has made the point several times that vendors do not provide strong security because they generally aren't liable for the consequences. I tend to agree with him. My worry is what the world will look like after more people agree with him and then try to "fix" things their way. By the way, I am glad to hear from Choate that licensing is not as draconian as I thought down in Texas. My apologies for the scare; I suspect I was reading too much into the ACM reports about "Licensing of Professional Engineers." Thankfully, the ACM seems to be resisting such moves for now (see second link), but who knows about five years down the line. (Bureaucratic inertia is no reason for complacency; I remember reading in WIRED of 1995 or thereabouts of a "Digital Copyright Working Group" about to convene and study the Internet "problem." Then nothing. Five years later, the U.S. has the DMCA.) In fairness, "vendors don't provide security because they don't have to" seems to be a symptom of a larger issue with liability for software, especially software sold to us mass market consumers. I expect markets exist in which software has to be held to an extremely high standard of reliability (e.g. Space Shuttle, financial markets, health software, embedded systems spring to mind). How are liability issues dealt with in those fields, and how did they come to be that way? would the same thing happen with crypto and security software? (how do I ask that question better, because it seems too vague now?) Thanks, -David
On Tue, 19 Sep 2000, dmolnar wrote:
especially software sold to us mass market consumers. I expect markets exist in which software has to be held to an extremely high standard of reliability (e.g. Space Shuttle, financial markets, health software, embedded systems spring to mind). How are liability issues dealt with in those fields, and how did they come to be that way? would the same thing happen with crypto and security software?
Client pays through the nose and software supplier accepts liability for software failure. If you want a software vendor to guarantee anything beyond the occupation of disk space, you're usually looking at five and six digit ($USD) prices for applications. Since that's not usually a consumer price point, this is called "Enterprise" software to distinguish it from the regular kind. It also usually comes with a consulting contract so that the supplier can make sure you don't install it wrong (say, having someone without admin priveleges run the installer and then suing for non-performance because it didn't update the registry) or on a "Pseudo-compatible" Operating system (as software written for AIX will sometimes run on Solaris, for example, but may crash at unexpected moments).... Most Enterprise software is written for Unix boxes. That which is not written for Unix boxes is written for NT boxes. Most enterprise software features "failover" capabilities, meaning it runs on a cluster or network of machines instead of a single box and if the particular box you're talking to crashes, your session will be handed off to another in such a way that you never notice. There are also marketing drones who apply the term "Enterprise Software" to whatever ordinary shrink-wrap software they're selling, because they don't know any better. (*sigh*) If it's priced less than $50K, just ignore them. Bear
On Mon, 18 Sep 2000, Kerry L. Bonin wrote:
especially software sold to us mass market consumers. I expect markets exist in which software has to be held to an extremely high standard of reliability (e.g. Space Shuttle, financial markets, health software, embedded systems spring to mind). How are liability issues dealt with in
There is a specific group that handles the software for the Space Shuttle. There is an article at: http://www.fastcompany.com/online/06/writestuff.html. The solve the liability problem by being *very* *very* anal retentive and good at what they do. -- A quote from Petro's Archives: ********************************************** Sometimes it is said that man can not be trusted with the government of himself. Can he, then, be trusted with the government of others? Or have we found angels in the forms of kings to govern him? Let history answer this question. -- Thomas Jefferson, 1st Inaugural
participants (4)
-
dmolnar
-
Kerry L. Bonin
-
petro
-
Ray Dillinger