From: Alan Dechert <dechert_at_gmail_dot_com>
Date: Wed Feb 07 2007 - 17:19:11 CST

Ben wrote,
> It may well be true that going to full disclosure right away is bad.
> But that does not imply that partially good is beneficial.
> If what you're talking about is a staged deployment: application code
> must be open in 2007, operating system in 2008, drivers and microcode in
> 2009, then that's great, but it should be written that way in the OVC
> plan. The goal has to be the whole package, and we can't fool ourselves
> and think we've improved security until the very end. Not against
> malicious adversaries.
Now you're getting to something, Ben. I would love to lay out the whole
package in great detail. I don't have the resources to do that right now.

This is a very messy environment for detailed plans, besides. It's not to
say we shouldn't try to make them, but we have to have a flexible plan.
There are just too many variables.

The strategic plan I published a few months ago is very sparse -- designed
to fit on one page. There is no time table. We're in phase one still.

Disclosed/open source systems in the fairly near future are just a step in
the direction -- a milestone in the strategic plan.

Our bill (CA Assembly -- Krekorian ... no number yet) is a very important
part of the plan. We'll know in the next few weeks how well this shapes up.
Similar bills may be introduced in other states as well.

If I had enough money, I could lay out the plan and we could be sure we had
the resources to work the plan. On the other hand, some would say we have
to have the plan to get the money. All I know is that I don't have any
money and I'm spread way too thin to stop and work on a detailed plan. If
anyone wants to help with that, I'm listening.

Alan D.

