A proposal for Independent Security Standards Body

(Apologies in advance, I have much energy to this ambitious task - I appreciate all who take the time to read through this and any advice is appreciated).

Some Background To This Post

Given all the security benefits of Qubes, it is extremely frustrating that it is in-practice undermined by current hardware-firmware design - much of which can be very simply fixed. Considering that Joanna made this point very clear many years ago (see: Joanna Rutkowska: Towards (reasonably) trustworthy x86 laptops - YouTube) it is not just frustrating, but infuriating.

Thus my frustration has led me to write this post.

I wrote this post recently, 'Reasonably Secure Hardware' (Stateless Laptop Progress & More), but realised that there is not really a central place to discuss or define improved standards, and I conclude that such talk is hindered because of this - thus, for there to be a discussion I have concluded there first needs to be a clear purpose to that discussion, which is a wider forum than Qubes.

What is the problem?
Continually subpar hardware design/implementation by manufacturers, in regards to security.

The Solution?
An independent hardware certification body, incentivising manufacturers to adopt secure hardware standards.

Introduction

Manufacturers need to make a profit to stay alive.
Manufacturers will not add a feature if it does not add value.
People buy emotionally, not logically.
To get a buyer emotional they need to understand why this is a problem they need to solve, in a way which gets them emotional - suffice to say, a discussion on ‘Intel Management Engine’ will not get 99% of people emotional.

How will the Body lead to secure hardware?

  1. By defining clear standards, created by the community.
  2. Intelligent Marketing
    2.1) Simple, Outstanding Branding
    2.2) Campaign in the emotional language of the buyer
  3. Work together with the community and manufacturers/external standards bodies to prove the commercial incentives. (e.g: qubes certified - qubes is a trusted brand, with a large commnity whom trust its certification process - thus leading to more sales. Market this: without this certification, this body of buyers will not be emotionally invested) and thus get the standards adopted by manufacturers and external bodies such as CSfC (NSA Commercial Solutions for Classified).

Isn’t this Qubes Certified?
No, Qubes certified is specific to Qubes. Although I do use Qubes and I would like reasonably secure hardware (i.e: statless laptop) to use with Qubes, a statless hardware certification has benefit for non-qubes users. Thus, Qubes Certification is not the way to market to this wider community.

Who does this add value to?
Everyone, ultimately. The real question to attain this goal, is what groups are easiest to market to (already identify the need), with the buying power, I shall list a few I can think of:
CSfC (become part of the standard - i.e: as of CSfC standard v3.0 to access black networks on Mobile End User Devices the MEUD requires stateless certification)
Qubes Users
Purism Buyers
Other privacy-conscious buyers, such as frame.work laptop buyers

What’s the point in this post?
While I have the will and time to communicate between different bodies, I seek guidance from those more experienced.
I believe this is relevant to Qubes, as I have read (long ago) that the team intended to expand the hw certification program into different levels, (and I think necessary given current the current lack of adoption), which would be complementary to an independent hardware certification, e.g:
Qubes Bronze (Hardware fully supports Qubes out of the box)
Qubes Silver (Meets bronze & has critical hardware switches)
Qubes Gold (Meets Silver & meets the Secure Hardware Foundation’s Stateless Certification Requirements)
etc

Working together like this, (I am certainly willing to at-least), would increase qubes adoption by enabling more manufacturers to easily attain ‘certification’ - thus users can trust that qubes will actually run (which right now is an issue). Need I say more than this is a positive circle of growth, the more users, the larger the community who will then push for Silver and Gold to become the Bronze standard.

Final words - where I currently am with this
  • I do not seek this as some utopian project to be moved to trash, I would ideally like to work with people who share the same aim/aligned-aims, and have time to spare. I’m thinking Qubes team, Free software foundation, purism, please suggest any more.
  • I would appreciate some advice from more experienced community members as to how to approach these other communities such as purism, fsf, etc. I don’t want to detract from their community goals; I don’t feel so insecure approaching manufacturers or certification bodies like CSfC as they speak marketing - I am not as well versed in approaching grassroots initiatives such as Qubes (apologies if this post is very bad).
  • I have the time and will to pursue this. All advice is appreciated, if you think it cannot work, please tell me why - as I’m committed to improving hardware security and if this is not the right path I will seek the one that is. I am also not so secure on how to start/setup a project like this where I can ensure to others that I am not the 100% shareholder dictator who can screw it all, advice appreciated
1 Like

I feel like this isn’t specific to Qubes but more reads like business proposal or venture idea?

Maybe FSF ‘Respects Your Freedom’ certification would be a good starting point here. It does not really mean ‘secure’, but at least it means verifiable and customizable I think.

See also: Port Qubes to ppc64 [3 bitcoin bounty] · Issue #4318 · QubesOS/qubes-issues · GitHub

You could also start a similar topic on Purism forums.

Yes, it is not qubes-specific - rather, relevant. Is the post unclear?

Thank you for that, the FSF are the most advanced in this respect. I see they have a members-only forum, though I’m not a member.

I am not a member of the purism forums, though I shall signup and make a similar post; (I read recently on their forum they are open to talks regarding certification again, following certain production issues they had last time).

Together with Insurgo w tried to reach them in context of KGPE-D16, which has great potential and was certified in the past. Unfortunately there was very little engagement. During 3mdeb vPub we had even Richard Stallman as guest, but I’m worried a lot energy can be wasted trying to get traction from FSF without gaining much.

Of course FSF as well as EFF should be invited to discussion, but it should be their decision about level of engagement.

@Quser59 your concept IMO needs more high quality content and definitely it needs some roadmap. This is also what Richard said create roadmap and include release notes to your publications so everyone knows where you going and progress you making. Other thing would be defining precisely how community can help.

Maybe public MkDocs hosted on Github, that gathers all related threads and materials?

1 Like