Making a Linux Foundation-Like Foundation for Cryptography Libraries
One of the things that the recent Heartbleed bug really should alert us to is the fact that our crypto libraries need work. On the one hand, we know that trusting a crypto library developed by a single company is probably a bad idea - such a library gets fewer eyes on it performing code reviews, and also may not be motivated to immediately fix vulnerabilities they are aware. Of the other side of the coin, we have open source libraries, most notably at the moment being OpenSSL, which lack the resources available for a large company to drive development.
To cap all of this fun, we have the reality that making your own crypto library is probably a bad idea, since it is notoriously hard to do this well.
After hearing someone questioning why a large company wouldn’t just write their own library rather than use OpenSSL, and pointing out the difficulties of writing a new crypto library, I got to thinking about how we might be able to make a higher quality cryptographic library from scratch - one that would be open source, but could benefit from capital (both monetary and knowledge) of companies as well - and thought about the Linux Foundation.
Note: Javascript required to post comments. Comments no longer available.
The Linux Foundation benefits from a number of large companies which recognize the benefit of a Linux independent of their competitors - yet funded enough to be used in new products - but retains independent of their particular commercial desires.
Given the dependence on OpenSSL by many companies with Internet facing services, this seems like a Linux Foundation-like organization has potential for creating better cryptographic libraries for everyone.
To state more clearly, I think we need an organization dedicated to making a new cryptographic library (or audit and improve an existing one) with the following characteristics:
-
FLOSS - all software products released should be Free, Libre and Open Source, so that they can benefit everyone and have independent audits
-
Independent - this organization should not be dependent (or owned) by any single entity or organization
-
Focused - this organization should do one thing well, and that thing should be produce secure cryptographic libraries
-
Not-for-profit - while it needs to have paid employees, the mission of this organization needs to be to make a better crypto library, not to pad its bottom line
So I’d like to know what people think about this idea in the comments. Hopefully I’ll be refining the concept in the future, but I’d like to know - is this a good idea? If so, what have I missed?
Or even is someone else doing this already and I’ve just missed out somehow?