On 04/11/14 19:50, Robert Obryk wrote: > On Tue, Nov 4, 2014 at 5:43 PM, Joseph Bonneau <[email protected]> wrote: >> First version launched today: https://www.eff.org/secure-messaging-scorecard >> >> This was a collaboration between tech advisers (primarily Peter Eckersley >> and myself) and a good team of people with experience in journalism and >> activism and there were necessarily some compromises made. The primary goals >> here were: >> >> (a) simplicity for users (and journalists) to draw some conclusions about >> what's out there right now and we had to make a lot of compromises to keep >> things simple for end-users to understand. >> >> (b) reasonable carrots for some of the traditional messaging apps to add >> security features, get audits, and publish source code. > In order to get an "audit" checkmark one has to cause an audit to be > done and nothing more (one can keep the results secret and ignore > them). If someone tried to maximize their app's rating in the > scorecard with minimum effort, that's a (from their point of view) > reasonable thing to do, but it doesn't improve security at all. I do > not see a way of preventing such gaming while keeping the feature and > not requiring the audit results to be at least somewhat publicly > disclosed. >
So, the justification given is, "Recognizing that unpublished audits can be valuable, we do not require that the results of the audit have been made public, only that a named party is willing to verify that the audit took place." Unpublished audits can be valuable *to the developer* to further improve their product, but how are they useful to us, the public users? (Why don't I just go upload all my plaintext to a trusted third party?) Are there applications in the list which got a tick due to an unreleased audit? If so, which ones are those? Perhaps you can visually distinguish it from the publicly-released ones? X -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
