What information have Microsoft released about the Bitlocker audit(s)? I couldn't find any, although my search wasn't particularly thorough. It seems to me that the value of an audit, for third parties, is that the auditor puts their reputation behind it.
That happens in a statistically negligible number of audits, and most especially in the best cryptographic audits. Which systems has Cryptography Research audited? Answer: you have no idea.
I don't doubt that, but no doubt a great deal of cryptographic audits are produced entirely for internal consumption at the procuring party, and another large chunk of them would be for bespoke software development gigs where the audit is for the benefit of the single customer.
Audits (and here I use the word in its expansive sense) that are intended to build confidence in a large or public audience do tend to be made public.
If that's true, it should be easy to cite audits of important software conducted by well-known cryptography engineering firms. So, tell me: where's the audit of OpenSSL, or SChannel, or NSS, done by Cryptography Research or Riscure? Where's the PGP audit? The LUKS audit?
Can I ask where you came by these opinions of how security audits work? I know where I came by mine.
When I say "the expansive sense" I am not referring to the specific case of security audits. For an example of what I mean, in terms of an audit intended to build confidence in a large audience, this was published in last year's annual report for News Corporation:
The Board of Directors and Shareholders of News Corporation:
We have audited the accompanying consolidated and combined balance
sheets of News Corporation as of June 30, 2013 and 2012, and the
related consolidated and combined statements of operations,
comprehensive (loss) income, equity, and cash flows for each of
the three years in the period ended June 30, 2013. These financial
statements are the responsibility of the Company’s management. Our
responsibility is to express an opinion on these financial
statements based on our audits.
We conducted our audits in accordance with the standards of the
Public Company Accounting Oversight Board (United States). Those
standards require that we plan and perform the audit to obtain
reasonable assurance about whether the financial statements are
free of material misstatement. We were not engaged to perform an
audit of the Company’s internal control over financial reporting.
Our audits included consideration of internal control over
financial reporting as a basis for designing audit procedures that
are appropriate in the circumstances, but not for the purpose of
expressing an opinion on the effectiveness of the Company’s
internal control over financial reporting. Accordingly, we
express no such opinion. An audit also includes examining, on a
test basis, evidence supporting the amounts and disclosures in the
financial statements, assessing the accounting principles used and
significant estimates made by management, and evaluating the
overall financial statement presentation. We believe that our
audits provide a reasonable basis for our opinion.
In our opinion, the financial statements referred to above present
fairly, in all material respects, the consolidated and combined
financial position of News Corporation at June 30, 2013 and 2012,
and the consolidated and combined results of its operations and
its cash flows for each of the three years in the period ended
June 30, 2013, in conformity with U.S. generally accepted
accounting principles.
/s/ Ernst & Young LLP
New York, New York
September 20, 2013
I do not believe the lack of a public security audit of OpenSSL, SChannel, NSS, PGP or LUKS indicates anything other than that either no-one cares enough about building public confidence in those projects to fund such an audit, or that anyone who has is sitting on the results because they weren't good.
