China defines ‘golden image’ as source, apparently

A few weeks ago, when I thought the ‘golden image’ in NIST SP800-147’s Provisioning phase required source access to the firmware, the below story would be an example of the only way vendors would get access to the source code to their closed-source firmware:

http://www.theinquirer.net/inquirer/news/2431029/ibm-shows-its-source-code-to-chinese-authorities-as-a-gesture-of-good-faith

However, as clarified in email ‘interview'[1] with Andrew of NIST, the ‘golden image’ can also be a closed-source blob, in which case we’re supposed to *TRUST* the vendor. Now that “cyberwar” is a mainstream topic, governments will likely not trust closed-source blobs from foreign countries much anymore, at the firmware, operating system, or application level. But consumers don’t have the pressure that governments do, so we get to continue to *TRUST* the vendor, and the PKI backing the firmware, most of the keys of which we cannot verify, no acts of good faith from vendors to non-government players. 😦

[1] https://firmwaresecurity.com/2015/10/13/interview-with-andrew-regenscheid-of-nist/

 

 

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s