Submitted by Nick Yeates (not verified) on 10 April, 2007 - 20:15.
I think that you are presenting the concern near the best that you can with your resources (although, you may want to spell out your resources, see bullet below). Your ideas are huge leaps in the right direction, but there is always more that you can do.
Here are some thoughts and ideas to provide cheap security peace of mind to potential users:
First, by professional, I did not necessarily mean paid. Eventually, there are going to be open source advocate organizations, security focus groups, conferences, etc, that will see these new online password management projects. I consider some groups, and people like the above to be ‘professional’. Many non-profit groups, conferences, and security web sites, do handle a budget, donations, etc. This is very much professional, and also their public credibility go a long way.
Angle communications of awareness and invitation to these open-minded security groups, businesses, conferences, individuals, and open-source communities . Dare them to break your code, run a contest! Every geek likes a dare, even if they do not win much.
Collaborating with google code was ingenious for trust. If there are other opportunities with Google or similar companies, do it. Apple is another up and comer that a lot of security minded people are moving to. Angle the Mac crowd possibly.
I do not think you have done the best job of spelling out what your business case/implications are for this project. How will you make money, or not, etc? To become completely transparent, you need to make an entire page and comment/forum area about what your business plans for the future are, it goes a lot towards trust. I have not seen many companies display their in-depth business plan to the public, yet I think that it would make sense here.
Explain and make simpler, a method of comparing or equivalencing the provided source code with the code being constantly served from your site. Yes, you provide the checksums, but that is of the compressed code. How do we know that the compressed code equals the provided source? There should be a solid, proof positive system that users can verify automatically, easily and independently, at any time. Maybe checking check sums can become more integrated in some way? A user wants to KNOW that the code coming up on the public library computer he is on is for sure the same, proven source code. The user may not have time for, understanding of, or ability to run md5 or sha1 commands.
Fully comply/follow standards such as this NIST Information Security document. It explains how governments get certified and accredited, how security can best be documented, etc. http://csrc.nist.gov/publications/nistpubs/800-37/SP800-37-final.pdf (appologies if my specific references are too USA-based)
Security and user trust ideas
I think that you are presenting the concern near the best that you can with your resources (although, you may want to spell out your resources, see bullet below). Your ideas are huge leaps in the right direction, but there is always more that you can do.
Here are some thoughts and ideas to provide cheap security peace of mind to potential users:
First, by professional, I did not necessarily mean paid. Eventually, there are going to be open source advocate organizations, security focus groups, conferences, etc, that will see these new online password management projects. I consider some groups, and people like the above to be ‘professional’. Many non-profit groups, conferences, and security web sites, do handle a budget, donations, etc. This is very much professional, and also their public credibility go a long way.