On 7 sep 2013, at 00:02, Tim Bray <tbray(_at_)textuality(_dot_)com> wrote:
How about a BCP saying conforming implementations of a wide-variety of
security-area RFCs MUST be open-source?
*ducks*
Well, there is something in there that makes sense.
We do have a program in the world called Common Criteria. That certification
program includes CCRA (CC Recognition Agreement) that implies that countries
that run certification agencies agree that what is certified in one country by
one such certification agency is also viewed as certified in all countries.
This makes it possible to go also with closed source items to one such
certification agency and get it certified according to a specification.
Now, there are of course (at least) two weaknesses in this:
1. A certification must be against some certification testing. That is not an
RFC, but the test itself might though refer to RFCs as for example "a router"
is quite complicated and it is specifically important to know it does not do
MORE things than what is specified in the certification testing specification.
2. How do one know that the certification agency is not lying.
But I think this (or something similar) is still the best we can do and/or
possibly what we should do.
Also with open source software that "claim to implement gPGP" :-)
Patrik