When we published last week the news that we found some good alternatives for the open source middleware for the EID if you didn't want to take any chances and wanted to invest in a secure smartcard environment, one of the programmers posted the following reaction.
" If you have the money, you don't have to use the opensource solution from FEDICT if you want to be absolutely sure.
I always wonder how long such FUD campaigns will last and what drives it? Of course I for one welcome other eID solutions since it increases diversity. This definitely has a positive impact on both probability that a system is being hacked and payoff once a system has been hacked. The probability for security weaknesses being exploited decreases once more eID solutions are available as the competition among these eID solutions will definitely have a positive impact on the code quality. As for the payoff once a system has been hacked we can also state that diversity reduces the number of systems that are vulnerable to a certain security attack on an eID solution. As security can be roughly defined by probability times payoff, diversity will have a positive impact the security property of eID solutions. But to state that commercial eID middleware solutions are more secure is somewhat far-fetched. The reason why I open sourced the new eID Applet is because I don't believe in 'Security through obscurity' and I want to invite security researches into constructing alternative viable eID solutions.
Frank.Frank Cornelis firstname.lastname@example.org "
So we have to respond to some things in it
* First it is NOT a FUD thing. It is based on the experience with only one aspect on the code - the so called firewall and the study from the professors that got some remarks about the socalled quality of the code and some of the mechanism (the attention to those remarks was only made here - as usual).
* there is no drive behind it, no dark forces or commercial interests, just trying to keep the discussion going and wanting to drive the security and the discussion even further - because if we stop it, who will continue it ? And if we look at the way people are handled here when they try to show mistakes and other conceptual dangers with the middleware, than you can't speak about an open and professional discussion. And what is open source if the security of the source can't be discussed in an open process ? And in which the upgrade to the last version is even worse than the one before ?
* so we think by talking with a lot of other people that a lot of people are looking for other solutions and want some middleware that is secret, but that can withstand all the security tests, also those from Microsoft .........
Because what is the security of a system in which the middleware or the hardware reader aren't secure enough ? Open Source or not, That is not important because that is an ideological question, not an operational one. An operational one is how you check the code with different attack and analysis tools and how you permanently revise, upgrade and patch the software as efficiently as possible. And I am not saying that all commercial secretive code is good code. It all depends on the security-operations that are used before the code is used for real products.
and yes we want more commercial adaptions for the EID cards from worldwide known companies who follow standards and have internal check processes and external community programs and so on. There is an enormous market over here for such product. So let them come and let the FEDICT middleware be a proof of concept that it is possible but I am sure there are other firms that can deliver other ways to integrate the EID in a secure way in a secure process.