Trust validation of programmers

Aleph One aleph1@dfw.net
Fri, 26 Jun 1998 00:14:14 -0500 (CDT)


On Thu, 25 Jun 1998, Stout, Bill wrote:

> Is there a certification authority or bonding process for hiring or
> contracting programmers who develop security systems?  Something similar
> to the Department of Defense background check for the commercial market?
> 
> We talk about how important it is to do strong authentication of the
> user for trust validation, but not strong authentication of the
> programmer or organization who wrote each piece of the security system.
> Certificate authorities such as Verisign, GTE, etc, exist for server
> websites and applets, user browsers and e-mail, but not the for
> contractors or hirees who write sensitive programs (or security source
> code itself).  It'd be of some comfort to hear the contracted say 'Yes,
> I'm bonded' or better yet, 'Here's my commercial security
> certification'.  Though I have no suggestions on how that trust would be
> validated by the C.A. in granting a certificate of trust.

CA's bind identity. Northing more. You are better off looking for some
tipe of security certification. The are a couple of security institutes
that have certification programs, although I cannot recall their name of
the top of my head.

> Bill Stout

Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01