On 12/31/06, Francis Cianfrocca <garbagecat10 / gmail.com> wrote:
> On 12/31/06, M. Edward (Ed) Borasky <znmeb / cesmail.net> wrote:
> >
> >  from a technical perspective, I don't think open vs. closed source
> > really has any security impact. I don't think it's any easier or any
> > harder to attack or otherwise compromise open or closed source software.
>
>
>
> Many security practitioners prefer open-source implementations because it's
> easier to audit them. I have to ship security-sensitive code all the time,
> and my company's large-company customers have always preferred that
> *everything* we ship be on open-source.
>
>
I'm mainly concerned about people modifying the source.  Even though
it's open source, it's also certified and any changes that effect
messages sent to Vital require re-certification.  There is also the
danger that Vital could at any time refuse to certify open source
implementations.  If someone modifies the code and starts sending in
corrupt batches or causes other problems, that could happen rather
quickly.

Another option would be to make it free but not open source.  The
source could still be provided for review to those that need it, but
would require signing a simple contract to not release the source, and
not to modify it unless you were a Vital developer, which only costs
$100.  But with those restrictions I doubt many people would even use
the software.  It has a limited market to begin with, even though
there is nothing out there like it that isn't fairly expensive.