Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

The Triangle of Secure Code Delivery

Industry news items concerning VPNs, darknets, crypto, surveillance and secure computing.

Topic Author
sarciszewski
Posts: 1
Joined: Sun Sep 13, 2015 7:11 pm
Contact:

The Triangle of Secure Code Delivery

Post by sarciszewski » Tue Sep 15, 2015 11:43 am

From Defuse Security, The Triangle of Secure Code Delivery is defined as:
  1. Reproducible Builds
  2. Userbase Consistency Verification
  3. Cryptographic Signatures
Reproducible builds, in practice, requires access to the source code, and furthermore being able to reliably and consistently produce a bit-for-bit deliverable. In PHP land, I've built a utility called Pharaoh to diff two .phar files to further this aim.

Userbase Consistency Verification is simply implemented by building a linked list atop a distributed Merkle tree (e.g. the Bitcoin block chain) of the SHA2-512/256 or BLAKE2b hashes, version ID, a timestamp, and any other metadata appropriate for permanently storing this information in a globally verifiable manner.

Cryptographic signatures are the easiest of the three legs of this triangle to solved: Just use crypto_sign() and crypto_sign_open() from Libsodium.

So far there aren't a lot of great tools available for #1 and #2. (Pharaoh is a narrow use-case; it will only help people who produce or consume .phar files in PHP environments.) If we want to achieve a verifiably secure internet, more research and development efforts should focus on these problems. (EdDSA solves #3 for now, and EdDSA-SPHINCS solves it in the distant future.)
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises