China defines ‘golden image’ as source, apparently

A few weeks ago, when I thought the ‘golden image’ in NIST SP800-147’s Provisioning phase required source access to the firmware, the below story would be an example of the only way vendors would get access to the source code to their closed-source firmware:

However, as clarified in email ‘interview'[1] with Andrew of NIST, the ‘golden image’ can also be a closed-source blob, in which case we’re supposed to *TRUST* the vendor. Now that “cyberwar” is a mainstream topic, governments will likely not trust closed-source blobs from foreign countries much anymore, at the firmware, operating system, or application level. But consumers don’t have the pressure that governments do, so we get to continue to *TRUST* the vendor, and the PKI backing the firmware, most of the keys of which we cannot verify, no acts of good faith from vendors to non-government players. 😦





Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s