Smalltalk: Requiem or Resurgence? Push for business application

Ron Teitelbaum Ron at USMedRec.com
Thu May 18 12:51:07 UTC 2006


Bill,

Ron: The cryptography pieces in my opinion need to be done in open source to
even be considered. 

Bill: (Quite sincerely) Open source in order to be considered by you or by
"them"?

Ron: I believe that there are two major requirements to successful
cryptography.  

The first is that all implementations should be publicly available, without
the ability to view the implementation it's difficult for the cryptography
community to assess the correctness and validate the protection offered
matches current standards.  I know that internal changes to cryptography, to
ease the impact on users (and possibly to prevent interoperability), have
been made by very large companies for example Microsoft's Kerberos
implementation which they admit is not standard.  They are trying to keep
their changes secret (1).  For me I believe there is safety in having the
code exposed in engaging the security community as much as possible and in
offering incentives to help find problems before hackers do.

The Second is to validate the cryptographic code through certification,
which I believe lowers the risk of companies that adopt the technology.
When a company can point to due diligence that shows a proper
implementation, breaches in security which can happen to anyone if major
public implementations are hacked will be easier to defend.  The major risk
remaining is the ability to remove and replace cracked code quickly.

I guess this point could have been stated a different way.  Instead of
saying open source I should have said publicly available.  But my leaning
here is open source since I strongly believe that certified publicly
available cryptography available in Squeak will help to encourage business
adoption.  

Ron Teitelbaum
President / Principal Software Engineer
US Medical Record Specialists
Ron at USMedRec.com 

1. http://www.networkworld.com/news/2000/0511kerberos.html I was just
validating what I said was still true, and it appears that there have been
some additional limited disclosures but those still have not made the
community happy.




More information about the Squeak-dev mailing list