Hardware wallet rating don't take into account whether open source hardware is available

[fresheneesz]

In particular, Ledger and BitBox don't seem to have open sourced their hardware designs. Cold card has published its hardware design, but its not exactly open source. I think these things would be useful to mention in their descriptions on this site. It would probably also be useful to have a mention of the fact that any of these hardware wallets with a secure chip don't use an open source secure chip. (for reasonable reasons - namely that they basically don't exist).

[crwatkins]

@fresheneesz I believe that the "description" you refer to is the transparency score and description as defined here.

Some background for anyone interested: The scoring provides a small selection of orthogonal options to describe a wallet. There has been an effort over time to keep the number of selections as small as possible and to try to come up with descriptions that will classify as many wallets as possible, and not end up with a different description for each wallet. Note that the "good", "pass", and "fail" in the label controls the score assigned. An open source hardware designation might be able to to be incorporated into this transparency scoring.

@fresheneesz did you have any particular open source hardware definition in mind? The most important aspect for me personally is ease of auditing. I'm not as interested in reproducible hardware builds as I am in reproducible software builds because of the difficulty in comparing hardware. Nor am I interested in requiring that developers give their hardware designs away free for others to sell. For example, I'm not interested in whether developers license under the definition from the Open Source Hardware Association or not.

In addition, I don't personally have any illusion of the effectiveness of auditing a hardware design when most of the components used in the design are not themselves open source. Given all that, more transparency is better for auditing.

[fresheneesz]

Thanks for the background. I didn't have any particular definition in mind, but I agree that ease of auditing is the highest item on the list as far as I'm concerned. Here are the criteria I think might be important to take into account:

A. Auditability of the overall design (what the components are and how they connect) B. Auditability of main components (eg microcontroller, secure element)

I will say I think true open source hardware is likely to have more eyes on that design, especially if multiple producers use the same design, or parts of the same design. But that's less important than auditability, and no hardware wallet design I know is shared by multiple producers.

[crwatkins]

Above I said

An open source hardware designation might be able to to be incorporated into this transparency scoring.

After thinking about this more, I'm not sure that would work well with our current transparency score at the present time. By "at the present time" I mean during a time period in which I don't see any truly open source hardware wallets. I'm not trying to be a purist here, but I see hardware transparency needing to make significant (granted, difficult) advances to be anywhere near as useful as our current transparency scores of full open source and deterministic builds. Simple access to schematics or board layouts of proprietary components, which is what I believe we have today, seems similar to me to an open source main program with many of the libraries being closed. It's certainly better than nothing, but I don't believe that it would significantly affect our current transparency scores.

For a long time, we've considered listing hardware wallets in a separate section, perhaps with a separate UX. Perhaps hardware transparency could be a separate score if we did that, however that then places added responsibility on our users to evaluate the merits of software transparency vs. hardware transparency when, as it is often pointed out to us, many of our users probably are not equipped to even evaluate a single transparency score.

For those reasons, I personally am out of valid proposals to support this issue.

[crwatkins]

Let's discuss the various open source hardware definitions out there, such as Open Source Hardware Association and CERN Open Hardware License. These are extremely well defined (and now fairly mature) licenses which we could offer as checkboxes. However, as I mentioned above I'm totally focused on the ability to audit vs. the ability of others to use these designs freely for other products. Do we know of any license (or definition) or variants of these license which would simply meet the auditing requirements? Or am I being naive?

[fresheneesz]

There is the TAPR Open Hardware License as well, that looks very similar to the CERN one you mentioned. I like the Open Source Hardware Association's principles, specifically because it mentioned that for it to be open source, documentation must exist that clearly specifies the thing being released as open source. I think this is a perfect definiton to use here for this. There are two kinds of things I think we could say about hardware wallets that currently exist:

1. The entire design owned by the hardware wallet designer is open source by OSHWA's definition.

2. 1 plus the design of any secure chip handling the keys is also open source by OSHWA's definition.

For item 2, this can be a little tricky, because its unlikely that in any near term that you could find enough open source components to build a hardware wallet out of only open source components. Things like capacitors, resistors, etc are likely to be purchased from wherever, and that's likely to be pretty safe in near decades. There may, however, be more complex components smaller than a secure chip or alternatives to a secure chip that we would also want covered here. Tho I think the above two items are enough for now, until there's some kind of hardware wallet that point 2 doesn't adequately capture.