Jill Ramonsky wrote: > > The only question I wasn't quite sure of > > was whether, if I take your code, and modify it, > > can I distribute a binary only version, and keep > > the source changes proprietary? > > You can't distribute a binary only version of ANY crypto product, > surely? No crypto product can EVER be trustworthy unless you can see the > source code and verify that it has no back doors, and then compile it. > Unless you give your users the power to inspect the source code, and > /know/ that it is the source code (because they can actually compile it > and run the resulting executable) then you could have put all sorts of > back doors into it. You could have added password theft, key escrow, who > knows what? > > Don't get me wrong. I agree with you that crypto has enough barriers > already, and I would like to produce something that is as freely > distributable as possible. "For the masses" crypto is, I guess, an > unwritten design goal. But allowing people to hide the crypto source > from crypto users would allow the bad guys (you can define your own bad > guys) to produce Trojan Horse crypto. Closed source crypto is to all > intents worthless. (In my opinion). Please feel free to argue that I'm > wrong.
You - or others - are talking about putting your TLS thingie in an embedded device? Like a toaster, for sake of discussion, because we don't want the bad guy to see us doing white bread in the mornings :-) Are you envisaging a world where a toaster owners must be permitted to inspect and rebuild the crypto code in their toaster so as to be sure that there are no back doors? And, are you envisaging a world where you could do more good by forcing this viewpoint on the manufacturers of toasters, as opposed to a world where a manufacturer of toasters decides that, regardless of the possible presence of backdoors, they think it better than the user cannot see the crypto in the toaster? If so, then you need to craft some source code availability clause into the licence. That would mean more like Mozilla, and definately not like BSD/MIT and the rest. (And maybe like GPL, as suggested by Jerry.) Also, note that OpenSSL - your erstwhile competitor - is under Apache licence and that has no such limit, AFAIK. In practice, what you are suggesting doesn't work. It is pretty nigh impractical to take a set of open source, and a finished deliverable crypto product, and show that one was used to build the other. This is because the compilation process is not really deterministic and duplicable, across a variety of times & machines & tools. In essence, a developer uses the open source if he wants to be sure. Anyone using a binary only product makes that choice. > > My own philosophy has always been that crypto has > > enough barriers on it already, so it should not > > add any more personality quirks than necessary, > > hence preference for BSD two clause. Mind you, > > such a statement is a personality quirk, so you > > be your own judge. > > Eek. Was my paragraph above a personality quirk? I thought it was a > sound cryptographic principle. As a highly general comment, when we get to something along the lines of "you must do it like I say" then you have to apply the God test. Are we that omniscient? Can we really support the case that we know how this is best used? For every successful god, there are a thousand who found themselves forgotten and unmartyred. RMS is one of the few exceptions; he crafted a prisoners' dilemma that stretched broad and created a community of programmers. I can't think of any similar successes in the field of cryptography, although there are claims. So, the question you have to ask yourself is, does that arrangement he crafted - GPL or something similar - have sufficient merit that it should be applied to crypto? My call is "no" as I really don't want any user of my crypto to actually have to think at all about my own beliefs. I want him to use it as fast and as furiously as possible. (There are many who disagree with this, but that is orthogonal to the licensing issue.) I admire the game theory behind the GNU licence, but we should also note the very large number of companies that won't touch it because of the costs that it brings. Now, there are a few GNU crypto products out there. Also, please don't believe that I have much confidence in the call! What you might want to do is to check how other GNU crypto products have faired, it would be a useful exercise. > > Q: Does your employer have any say or comment > > on this project? Might be wise to clear up the > > posture, and either get it in writing, or make > > the repository public from the git-go. Many an > > open source project has foundered when the boss > > discovered that it works... > > It has absolutely nothing whatsoever to do with my employer. All my code > will be written at home in my spare time, and uploaded to CVS or > whatever also from home. It is true that I happen to be sending this > email from work, but even that's in my own time. I don't see how they > have any say. To be /really/ safe, I'd be happy to always post to this > list only from home, but right now I don't think it's a problem. It's fairly well established in common law that your employer owns what you do. You would need to (as Jerry says) check with the contract you have with the employer, and check what the state law says. If you have a lawyer friend, ask them. If you don't want to do that - and I can understand the drudgery of reading law and contracts when you should be writing crypto - then just go ahead and write and publish under some licence. At least if you get told to stop, what is published will remain published. But, it would be much better if you could get an email from your boss saying it is ok for you to work on an open source crypto product in your own time... Consider it a challenge. Even an email from you to the boss announcing your intentions will be helpful. iang PS: IANAL, University of Grisham. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]