Why Are Software Resources So Unreliable?
The news about breaches and embedded malware is incessant. How is it that major supply chain software, for just one example, can be so badly compromised?
What can be done about it?
For the answer, watch this video:
The challenges we face with corrupted software, as well as other digital age challenges, resemble challenges that were solved in the physical world through the application of the strong personal accountability associated with professional licensing.
Think about accountability for things or services in the physical world: A professionally licensed, expertly qualified individual puts their reputation on the line by signing and taking legal responsibility for the integrity of something. Professional licensing has proven itself for centuries as a way to bring personal accountability to the professional practices, from bridge designers to doctors to architects.
Essence of the Initiative
The Professional Licensing Initiative starts with identity certificates that carry a measure of their own reliability, using the IDQA (Identity Quality Assurance) metrics.
The Professional Licensing Initiative brings back individual accountability for claims and representations made in online spaces via its professional licensing program.
One of the reasons that professional licensing has been so effective in the physical world is that professional licensees tend to enjoy a very comfortable income from their services. The prospect of losing that income motivates professional licensees to practice with diligence. We’re using that same model to bring new levels of diligence to the digital world, by showing that paying professional licensees well is in every relying party’s best interest.
Most software products are digitally signed, meaning that you, the relying party, can know that nothing has been altered – not a single bit – since it was signed.
That’s supposed to provide you assurance that the software is trustworthy. But… who did the signing? Typically, signing PENs (private keys) are a departmental asset. So… the code is signed by… what, a department, a bunch of people, no one of whom bears direct accountability?
Is it any wonder that time and time again, criminals have managed to get their hands on those signing PENs? For the answer, consider some of the horrendous recent supply chain software breaches.
What is required of a Professional license applicant?
To qualify, an applicant will need
- A Digital Birth Certificate ™ and associated PEN (private key) issued by Osmio VRD
- A suitable background, as determined by standards set by the Professional Licensing Board
- Evidence of an established record of integrity
- A passing grade on the appropriate licensing examination
The various professional licenses in Osmio are valid for different periods, as set by the responsible commissions.
Why Would A Professional Licensee Accept The Liability?
As you may know from our other videos, a critical feature of the PKIDR infrastructure is Accountable Anonymity, which lets a credential holder assert their identity without disclosing their identity.
While the professional license is bound to the licensee’s identity certificate, it does disclose the identity of the license holder. In that way it’s a special derivative of the professional license holder’s identity certificate. Unlike the identity certificate that it’s bound to, the professional license digital certificate makes its holder’s identity quite public, putting their good name and reputation on the line.
You may be wondering why a professional license holder would accept liability for their digitally signed attestations. The answer is the same reason an architect takes professional responsibility for the habitability of a building: she gets paid well for accepting it. Licensed professionals are truly gatekeepers to the market And the assurance they provide to both companies and their customers make their services well worth the price.
And the relying party – you and I – can trust that attestation because the license itself is backed by the duly constituted public authority of Osmio.
Osmio now sets out to extend that personal accountability through its Professional Licensing program, qualifying and certifying individuals who vouch for the integrity of the numerous elements of our digital world, as a building inspector vouches for the integrity of a physical structure. This Professional Licensing INITIATIVE is being launched in order to gather the resources that will get that program off the ground.
A professional license is linked to the identity certificate of its holder, providing direct personal accountability for everything signed with that license. In the event of trouble, there’s no opportunity for finger-pointing because the professional license points directly to an accountable, single human being. Here are some examples of PKIDR™ professional licenses issued by the City of Osmio:
- Code Auditor
- Boot Process Signing Officer
- Blockchain Officer
- IoT Engineer
- Penetration Tester
- Signing Officer
01 CODE AUDITOR
A code auditor attests to the integrity of a piece of software.
Much of the software you use is digitally signed, meaning not a single bit has been changed since it was signed. But who signed it? In most cases it’s signed using a private key that gets passed around the development department of some big software company. Not only is there no personal liability, there’s ample opportunity to sign software that spies on you or does other things that are against your interests. And let’s face it, big software companies put things in their codethat no one employee would ever want to be individually held accountable for. BUT … if software is digitally signed by a licensed Code Auditor, you know there’s nothing in it that a responsible, identifiable human being does not take personal and legal accountability for. If someone has tampered with it, you’ll be informed that the signature doesn’t check out.
02BOOT PROCESSS SIGNING OFFICER
A specialty in the field of code audit is the BOOT PROCESS SIGNING OFFICER, who takes responsibility for the integrity of the firmware in the UEFI or BIOS chip that boots up your employee’s computer, assuring there are no vulnerabilities that would allow an attack such as the recent TrickBot malware.
Did you know that existing blockchain architectures are vulnerable to takeover by a coordinated gang effort to control the nodes? Then, anything you use that blockchain for can be manipulated by the gang. And if that happens, who is accountable? The Blockchain Officer professional license addresses this problem. Behind each node is a Blockchain Officer who publicly takes personal responsibility for the actions of that node.
04IoT Device Engineer
This one protects against corruption of software and hardware in IoT devices. Any device putting packet vehicles onto the Information Highway should have its packet streams digitally signed by the equivalent of an officer of a vehicle fleet. So if you manufacture webcams, their packet streams must be digitally signed by your IoT Device Engineer, who assumes personal professional liability for whatever those devices do. Before he approves a new model webcam, you can bet he or she is going to be absolutely sure there's nothing in it that could participate as a bot in a DDOS attack, spy on its owner, or carry out other mischief.
The Signing Officer protects your organization from, for instance, hacked content in its website. A web page signed by the signing officer of the organization assures the visitor – and you! - that nothing has been altered since it was signed.
As you may know from our other videos, a critical feature of the PKIDR infrastructure is ACCOUNTABLE ANONYMITY of individuals. A professional license is different – it’s a special derivative of the professional license holder’s identity certificate. Unlike the identity certificate that it’s bound to the professional license digital certificate makes its holder’s identity quite public. A licensed professional is trained, licensed, and paid well to put their good name and reputation on the line to vouch for something.
You may be wondering why a professional license holder would assume liability for what they sign. The reason they would do that is the same reason an architect takes professional responsibility for the habitability of a building: She gets paid well for accepting that responsibility. Licensed professionals are truly gatekeepers to the market And the assurance they provide to both companies and their customers make their services well worth the price.
And why should WE trust a signer to execute that duty responsibly and in good faith? Because her professional license is backed by DULY CONSTITUTED PUBLIC AUTHORITY – and because that license, her reputation, and her livelihood are on the line with every signature.
Join Us As A Charter Member
The Osmio Professional Licensing Initiative is just getting started. By joining the Initiative at this early stage, you and your organization can have a special role in shaping the organization as it grows.
Your Membership helps to ensure the success of the Initiative, and by extension ensure the viability of your the software and other important digital tools that your organization depends upon. By contributing to its finances, its governance, standards, and in spreading the word, you are helping to make reliable software a ubiquitous reality.
Join other management leaders in bringing reliability to the digital world.
Charter Memberships in the Professional Licensing Initiative ($USD)
|Organization Size||Annual Charter Member Fee|
|5000+ FTE Employees||10,000|
|Individual||Contribution of time only|
|Nonprofit||50% reduction in fee|
Use of Proceeds
A great deal of work will be required to make the Professional Licensing Initiative a functioning reality, protecting digital facilities around the world from the consequences of lack of accountability. We’ll need to establish dialogues with professional liability insurers; we’ll need the services of domain experts for development of qualification and testing standards; and we’ll need an effort to get organizations to bring professional licensing into their code signing practices.
Advantages of Charter Membership
As a Charter Member, you’ll be included in the Charter Member’s Advisory Council, giving you the opportunity to influence the way the Initiative develops in coming years.
You’ll also get to display the Professional Licensing Initiative Badge on your sites and other materials, letting everyone know of your commitment to a digital ecosystem that provides Real Reliability and Real Security.