The list of objectors to the TrueCrypt open source license is a long one and includes some popular distributions such as Debian, Fedora—and by extension Red Hat. In fact, the wrangling over the TrueCrypt license dates back as far as 2006, long before there were serious inquiries as to the trustworthiness of the popular disk encryption software and whether it had been backdoored by a three-letter U.S. intelligence agency or a foreign power.

Now that a serious effort is under way to audit the integrity of not only the TrueCrypt code, but its license, people want to put concerns about using TrueCrypt to rest, resolving not only the license status but also document repeatable deterministic builds of TrueCrypt from source code for Windows, Mac OS X and Linux.

The license, however, requires legal help be brought into the fold. It requires agreed-upon interpretations of a license that some have called “dangerous” and have said introduces more risk and liability to its users than it’s worth.

“It’s one of the least open open-source licenses,” said Kenneth White, who along with cryptographer Matthew Green, helped get IsTrueCryptAuditedYet? off the ground. “It’s certainly very unconventional by U.S. case law standards.”

The project is currently not only evaluating a professional auditing service provider who will look at the 1s and 0s behind TrueCrypt, but is also looking for legal help to wade through the murkiness that is the license. To date, it has raised more than $50,000 to fund the effort.

Against the backdrop of surveillance by the NSA and a call to look closer at the TrueCrypt code, in particular the Windows binaries, the license issue was revisited on Oct. 16 on an OpenSource.org forum. Some expressed discomfort with many provisions in the license, even after it was reviewed and some initial concerns addressed. For example, posters on the forum were concerned about how broad the indemnification clause is protecting the anonymous authors of TrueCrypt. The language is confusing and vague, leaving far too much room for interpretation, according to some; in fact, this is something the license seems to acknowledge with a provision that states:

“If you are not sure whether you understand all parts of this license or if you are not sure whether you can comply with all terms and conditions of this license, you must not use, copy, modify, create derivative works of, nor (re)distribute this product, nor any portion(s) of it. You should consult with a lawyer.”

White said resolution of such issues is critical in order to create the verified, independent version-control history repository for the code that includes a signed source and binary.

“I believe we need to ask the question no one seems to have ever really asked: Why are certain provisions in the license? What, precisely, are the TrueCrypt developers trying to do? Have they been burned in the past?” White said.

Uncertainty of the wording is what led Red Hat, Debian and the Open Source Initiative to recommend against using TrueCrypt. Green said the license fails to explain how the license can be used and under which conditions.

“It didn’t say you could use the license under these conditions and it’s fine, it was a bunch of things you couldn’t do with it and didn’t make it clear what you could do,” Green said. “It seemed to have, either been written by somebody who doesn’t know how to write licenses very well, or it was written by maliciously. Nobody knows.”

There are also legitimate questions as to whether the license is enforceable under current case law, White said, referring to the above provision. The lack of clarity going back a half-decade or more still haunts TrueCrypt and contributes to the current atmosphere of mistrust.

“I actually think this whole exercise is just evidence of the beginnings of a much larger call-to-arms for vigilance, across the open source and security communities generally,” White said. “Let’s be honest—when NIST literally recalls a published cryptographic primitive and ‘strongly recommends against using’ it, over evidence of deliberate efforts to weaken encryption standards by US intelligence operatives, we have entered a whole new era.  And the RSA BSAFE and DPM announcements only serve to punctuate that imperative.

“Clearly, we are collectively paying attention now,” White said. “Here’s hoping our modest project will make a dent in restoring some much needed confidence.”

Categories: Cryptography, Government, Web Security