CDR: RE: was: And you thought Nazi agitprop was controversial?

dmolnar dmolnar at hcs.harvard.edu
Mon Sep 18 21:11:36 PDT 2000



On Mon, 18 Sep 2000, Kerry L. Bonin wrote:

> To one extent, this has already happened.  Under 15 CFR Part 740.13, in
> order to distribute public domain / open source cryptographic software
> without the classic restrictions under ITAR, you have to register yourself
> by sending an email to the NSA (well, the BXA address whose office happens
> to be in Ft. Meade.)  
> 
> So we already have mandatory registration for open source crypto developers.

Hm. That's true, but it's not in the spirit of what I meant. I was
thinking more along the lines of something tied to legal liability for
defects. That is, the registration/licensing comes about more
"organically" instead of being called into being straight by regulation. 

> 
> If key escrow legislation finally passes, they've got the list of
> individuals and companies to lean on, and imagine thats where licensing
> will come in.

Yup, any such list is dangerous - although the pressure may not come from
key escrow per se, but from businesses who become fed up with security
being "not the vendor's problem." As in "show us that all your crypto
engineers and subcontractors are properly licensed." Maybe you can think
of this as touching on reputation management or credential management,
although I expect most Professional Engineer certs are issued to True
Names.

Schneier has made the point several times that vendors do not provide
strong security because they generally aren't liable for the consequences.
I tend to agree with him. My worry is what the world will look like after
more people agree with him and then try to "fix" things their way. 

By the way, I am glad to hear from Choate that licensing is not as
draconian as I thought down in Texas. My apologies for the scare; I
suspect I was reading too much into the ACM reports about "Licensing of
Professional Engineers." Thankfully, the ACM seems to be resisting 
such moves for now (see second link), but who knows about five years down
the line.

(Bureaucratic inertia is no reason for complacency; I remember reading in
WIRED of 1995 or thereabouts of a "Digital Copyright Working Group"
about to convene and study the Internet "problem." Then nothing. 
Five years later, the U.S. has the DMCA.)
 
In fairness, "vendors don't provide security because they don't have to"  
seems to be a symptom of a larger issue with liability for software,
especially software sold to us mass market consumers.  I expect markets
exist in which software has to be held to an extremely high standard of
reliability (e.g. Space Shuttle, financial markets, health software,
embedded systems spring to mind). How are liability issues dealt with in
those fields, and how did they come to be that way? would the same thing
happen with crypto and security software? 
(how do I ask that question better, because it seems too vague now?)

Thanks,
-David






More information about the cypherpunks-legacy mailing list