[trustable-software] Fwd: Is 'safe + secure' equivalent to 'trustable', or a subset?

Paul Sherwood paul.sherwood at codethink.co.uk
Wed Nov 30 10:20:07 UTC 2016 

On 2016-11-30 09:20, trustable at panic.fluff.org wrote:
> The old Orange Book and Blue Book Trusted security criteria
>  
> https://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria
> 
> are clearly about the behaviour of executing systems they are really
> not about the construction of such systems. I think for this community
> we are really interested in the provenance..

Some of us are interested in provenance for sure. But provenance alone 
is not sufficient, unless our only objective is to point the finger of 
blame when things go wrong.

I am mainly focusing on construction, though, i.e. how to improve the 
activities and processes that lead to systems, not just the systems 
themselves.

> Is perhaps the word we are looking to describe what is delivered for a
> system is provenance and not trustable or trusted ??

I started to think that a Venn diagram covering [secure, safe, mission 
critical, trustable, trusted, provenance, reproducible, traceable, 
connected] might help, but my attempts so far are not encouraging.

So I'm going to fall back to some (draft) logic versus our potential 
term, which I'll call zzz for now. Additions/improvements/criticisms 
welcome:

- For software to be zzz we need to know its provenance
- For software to be zzz we need to be clear about what it is supposed 
to do, and be able to confirm that it does that and only that
- For software to be zzz we need to be able to re-build it from source 
and expect that it still does what it did before
- Connected zzz software needs to be secure
- Some zzz software needs to be safe
- Mission critical software is normally zzz, but some zzz software is 
not mission critical (because it may not conform to the norms of, or be 
relevant to, users of that term)
- High integrity systems normally contain software which is zzz, but zzz 
is required more generally than the common interpretation of the term 
'high integrity' (maybe?)

I hope readers are not getting too bored/frustrated with this 
philosophizing/bike-shedding [1].

Maybe I should just say 'I called it trustable in the initial 
call-to-action. We now have the trustable,io domain and some 
infrastructure. Let's get on with the work...'

br
Paul

[1] https://en.wikipedia.org/wiki/Law_of_triviality

More information about the trustable-software mailing list