Sorry for the delay in responding, by the way!
Post by Werner AlmesbergerWaiting for a response to the request for permission to publish
it.
1) not clearly within OTF's purview,
2) we didn't explain how we plan to achieve market dominance,
3) we didn't explain in detail what users are doing wrong today
and how that would change,
4) our cost and time estimates look reasonable, but
5) it's not clear how the project would sustain itself.
1) is indeed a valid concern, especially since Open Hardware is
still something new, so even if it meets the objectives of some
funding program, it may simply not have been considered when
defining the details.
I guess they want stuff that gets deployed surreptitiously within
dictatorships, not stuff that keeps the average American safe from criminal
exploitation (amongst other things).
Post by Werner Almesberger2) sounds like an exaggerated criticism, and aiming to create a
monopoly and thus monoculture sounds like a rather dangerous
proposition when it comes to security.
Indeed.
Post by Werner Almesberger3) also seems exaggerated, given that what we submitted was a
"concept note", not a doctoral thesis.
I'll come back to this in a moment.
:-)
Post by Werner Almesberger5) is a fair point. We mentioned that the next step would be
crowdfunding but didn't talk about what's beyond. But then, the
form for the concept note didn't ask about a business plan or
sustainability considerations, so I expected such questions to
be raised at a later point. Besides, they could just have asked.
Indeed.
Post by Werner AlmesbergerTo sum it up, I'd consider 1) the weak spot of our proposal. We
can try to suggest why it may fit despite outward appearances,
but we can't demand that they widen their scope for us. The
other points all seem a little unfair and shall be challenged.
If you had said that it's for people living in dictatorships unaligned with US
interests (if I may be cynical for a moment), then maybe the attitude would
have been rather different.
Post by Werner AlmesbergerPost by Paul Boddieperhaps because we might get a
feeling for what the reviewers feel is worthy in this day and age,
The folks over at the Core Infrastructure Initiative (sounds
like what's before been at OTF. Did they move ?) have a brief
http://lists.coreinfrastructure.org/pipermail/cii-discuss/
There, the main point is sustainability. So the beancounters
may have a lot of weight in the discussion, which may not be a
bad thing in this case. This echoes point 5) from the review.
Sustainability has multiple aspects, as we all know. Keeping yourselves funded
so that you see things through to completion is just one of those. I think the
open hardware aspect, where other people can make sure that the dream lives
on, is another.
Post by Werner AlmesbergerPost by Paul BoddieMaybe they think that password and credentials management is a solved problem,
Yes, the review mentions that there are other password managers
and tokens, so this may indeed be considered a "solved" problem.
As if ... :-)
I was reading Which? magazine again recently (it's like the UK version of
Consumer Reports, I guess), and in their exposé of bad Internet banking
practices, they singled out password strength testing as something various
banks weren't doing, thus getting them deductions from their eventual
percentage-based scores. However, I didn't see any mention of people managing
strong passwords using password managers, which means that this problem isn't
even on their radar yet. *That* is how close this is to being a "solved"
problem.
Paul
P.S. Another thing that came up about banks was that they weren't necessarily
using their special code generator gadgets as much as they perhaps should have
been. I came away from all of this being fairly unsurprised that UK banks seem
to be common "phishing" targets.