Trust validation of programmers
Fri, 26 Jun 1998 00:14:14 -0500 (CDT)
On Thu, 25 Jun 1998, Stout, Bill wrote:
> Is there a certification authority or bonding process for hiring or
> contracting programmers who develop security systems? Something similar
> to the Department of Defense background check for the commercial market?
> We talk about how important it is to do strong authentication of the
> user for trust validation, but not strong authentication of the
> programmer or organization who wrote each piece of the security system.
> Certificate authorities such as Verisign, GTE, etc, exist for server
> websites and applets, user browsers and e-mail, but not the for
> contractors or hirees who write sensitive programs (or security source
> code itself). It'd be of some comfort to hear the contracted say 'Yes,
> I'm bonded' or better yet, 'Here's my commercial security
> certification'. Though I have no suggestions on how that trust would be
> validated by the C.A. in granting a certificate of trust.
CA's bind identity. Northing more. You are better off looking for some
tipe of security certification. The are a couple of security institutes
that have certification programs, although I cannot recall their name of
the top of my head.
> Bill Stout
Aleph One / firstname.lastname@example.org
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01