Yvette rationale

Rationale

Yenta is a large system that handles personal data and routinely talks to a network. As such, it presents a risk to its users that its code contains trojan horses (whether installed by the implementors or by someone hacking the code served to users), unintended security leaks (either in a single Yenta or by virtue of their interoperation), and similar possibly-catastrophic elements. For example, if Yenta's protocols and keys are secure, there is nonetheless the possibility that someone will attempt to compromise the system by altering the system at the point of distribution.

Users hence need some assurance that the software they are running is trustworthy. Traditionally, the ways users are assured of software integrity by some combination of a trusted source and a trusted user community. Trusted sources tend to be either commercial software houses (which are presumed not to deliberately kink their software) or freeware/shareware authors, who provide either source code or checksums of their binaries. A trusted user community serves to keep either source of software (commercial or free) in check, by damaging either the reputation of the author (hence causing users to be reluctant to use later software from the same souce) or the reputation of particular products (by pointing out bugs or corrupted distribution points).

These mechanisms have their faults. Trusting the producer has led to distributions being shipped with viruses in them. It also allows producers to embed features (or bugs) into releases whose effects are not known to the users, but potentially problematical. (For example, consider the the multiple egregious privacy violations in various popular web browsers, including onBody mailto's, inability to disable JavaScript in some cases, unadvertised and impossible-to-disable use of email-addresses and referrer information, magic cookies, and all the rest). Trusting the community leads to a problem of finding all relevant information about the product---has the product been thoroughly evaluated? What have people said about it? If I were to try to evaluate some part of the product that has not been examined before, where should I look first.

The Yenta code-vetting system attempts to solve some of the problems, by combining these features:

Public scrutiny of source code. This is true of any system that makes its source code public.
Public availability of code evaluations. This is partially true of current systems when they are talked about on the Internet, but gathering up such comments in a convenient way is quite difficult.
Easy inspection of evaluation coverage. It is much easier to ascertain which portions of the entire system have been vetted, and which have not.
Non-repudiation of evaluations. Evaluations are cryptographically signed. If one trusts the signing mechanism, then the source of any given evaluation can be proven, as well as the exact piece of code that was evaluated.

Lenny Foner

Last modified: Fri Mar 19 22:04:49 EST 1999