>clue on how to increase audit desperately solicited. Unfortunately the only serious way to do it is to commission the audit by someone. I've paid people to check code, or in one case write a parallel implementation of some critical code that was run against the actual implementation to verify that the same outcome was produced, but that's it.
Another way to get this is to make it a commercial product that can be licensed, which means third parties will commission due-diligence audits (which I've also had done). Less serious ways to do it involve motivating attackers to do the audit for you: - Use it in a DRM scheme. - Use it to lock down a Playstation so you can't run Linux on it. - Present it to UK universities as "a system designed by a French university". - Post it anonymously to sci.crypt as a leaked government design. - ... Seriously though, the commercial angle is the best approach, once there's money involved, people will also be willing to commit money towards ensuring that there are no glitches. In more general terms, you need a way to motivate people to do the work, which means either paying them or giving them a target/prize to claim. Something that arises at that point is that if someone spends money to find and fix issues, they're typically quite reluctant to contribute them back to the public pool. Look at the endless numbers of FIPS 140 evals that both OpenSSL and my own cryptlib have had, anyone who's paid for one keeps the certified product to themselves because they don't want competitors benefiting (the public eval that OpenSSL had was a special case and extraordinarily painful to do, it's had probably hundreds of private evals alongside that). Peter. _______________________________________________ Tech mailing list [email protected] https://lists.cryptech.is/listinfo/tech
