The CrypTech Project Charter
The CrypTech Project develops an open source design for a hardware cryptographic engine or Hardware Security Modules (HSM) and an associated reference implementation that allows anyone to deploy and audit a secure, low-cost cryptographic engine in their environment.
The CrypTech Project was formed, at the urging of the Internet Engineering Task Force (IETF) leadership, in response to the Snowden revelations of mass surveillance and to indications that the implementations of key cryptographic algorithms and functions had been systematically targeted in an effort to weaken and subvert their utility.
The CrypTech Project Mission and Vision
The CrypTech Project vision is that security infrastructure should not have to depend on closed-source HSM products that cannot be publicly audited and where there is a significant probability that the functions implemented in the product may have been subverted. Security technologies that can benefit from CrypTech include Domain Name System Security Extensions (DNSSEC), Resource Public Key Infrastructure (RPKI), Tor Consensus, Pretty Good Privacy (PGP), Identity Federations, and Certificate Authorities (CAs).
To that end, the CrypTech Mission is to:
- Put hardware crypto capability into the hands of as many people as possible by:
- Lowering the cost of the technology,
- Diversifying the manufacturing base, and
- Enabling good crypto at the edge; and
- Improve the trustworthiness of hardware crypto technology by:
- Facilitating globally diverse design and development,
- Utilizing a diverse testing community,
- Providing transparency in funding and open source solutions,
- Moving towards an open toolchain for HSMs, and
- Having third party audits of CrypTech technologies.
The CrypTech Project Team
The CrypTech Project Team includes hardware and software developers, business personnel, technical and business advisors, and sponsors. The CrypTech hardware and software developers include a team of developers supported by CrypTech sponsors along with additional volunteer developers. Business personnel support tasks such as fund raising, marketing, and finance. Technical and business advisors are individuals from the community who provide guidance on technical and strategic direction. Sponsors are organizations and individuals that have provided financial resources to the CrypTech project. Sponsors are currently limited to donations of $100,000 per year to reduce the influence of any single party in the resulting products. Finally, NorduNET provides financial administration, and both NorduNET and the Internet Society facilitate sponsorship donations.
In addition to the team described above, a non-profit corporation, Diamond Key Security, has been established for the development and support of CrypTech based products and to facilitate the long term sustainability of the CrypTech project as a whole. Diamond Key Security staff contribute to several of the roles described above and on an individual basis are considered part of the CrypTech Project.
Governance
The CrypTech Project takes its governance model from the IETF. Technical and administrative decisions are made by a rough consensus of the active participants.
The CrypTech project funds the core team developers (to the extent possible) but aims to have other people involved be self-funding (e.g. for travel to meetings) and to minimise overhead in general.
Transparency
A key tenet of the CrypTech project is transparency. This transparency is achieved by using open source development practices, public mailing lists, and a public wiki (https://wiki.cryptech.is/).
The open design principles being utilized include:
- All code is open and available under open and unrestricted license;
- An Open, transparent, auditable, and traceable development process is followed;
- The design is open allowing for customization, observation, and testability – in development as well as during operation.
The names and roles of the current and past team members are public can be found at: https://cryptech.is/organization/
The CrypTech project posts annual reports detailing technical progress and financial status along with other governance materials at https://cryptech.is/. The 2016 EOY report is at: https://cryptech.is/wp-content/uploads/2014/04/final-EOY-report-for-2016.pdf
This charter was last updated on 2017-10-27.