Whitfield Diffie, the inventor of public key cryptography, and now chief security officer at Sun Microsystems, spoke out in defence of the security of open-source software at the RSA Conference in Paris on Tuesday.
Diffie was defending open-source software against an attack made earlier at the same conference by Microsoft chief security officer Craig Mundie.
During his keynote, Mundie had labelled as a "myth" the idea that open-source software can be more secure than closed, proprietary software. "Just because people can look at software, it doesn't mean they will," said Mundie. "You need trained people looking, not just arbitrary people."
Open-source products have steady streams of vulnerabilities, Mundie continued, arguing that closed-source proprietary software gives users a clear point of responsibility where problems will be fixed (the software vendor). "People need an incentive to do the grungy work (of checking security aspects of code)."
"Craig's right," said Diffie. "But there is an asymmetry here. Who is the most important person who should look at the code? You -- the enterprise -- have a moral responsibility to audit that code."
Since Microsoft has pointed out that it is unlikely to take legal responsibility for the security of its code, Diffie's suggestion may gain credibility.
Diffie denied that there was any trade-off between security and usability, saying that if the security risks are properly understood, then security measures become a prerequisite of usability. Car keys make it more complex to lock and leave your car, he said, but they allow you to park your car anywhere in town.
Diffie also said that security cannot be delegated, nor can a user rely on one company for security. "Openness is essential for trust," he said, referring to open-source code, as well as compatibility.
In future we will have to rely more heavily on software for security, he added: "As security migrates further from human intervention, it migrates further from natural human methods of security."
Sun's involvement in security goes back to its foundation as the company that made servers for university Unix sites, he said, pointing out that the secure version of Solaris was created in 1990, and the mainstream version is now very close to it, with features like compartmentalisation built in. Other Sun achievements in security included Java, with its sandbox and byte code verification.
Peter Judge reported from the RSA Conference in Paris.