I've also been considering the possibilities of an OSS security focused business. Random thoughts:
* Build infrastructure necessary for other developers to build provably secure products on, license this.
* Free consumer versions, paid/managed versions for corporations and governments.
* Things like secure telephony have business models built in where you could charge per minute (or message) (and probably still be less than incumbent carrier minutes).
Just to let you know I am planning on doing a series at my blog on thoughts regarding key management of a secure telephony system. My overall thoughts are to have a very tightly controlled key change policy so that a wiretap is only possible where either a customer's certificate authority's key has been compromised (custoemrs would be expected to run their own CA's) or where new calls were being established between parties that had not called eachother before. An interesting property of the system I am thinking about is that when a wiretap would end the next call to a previously evesdropped target would generate a warning.
If you get there and want someone to bounce ideas off of or help out, feel free to let me know. (chris at efficito dot com).
The one huge problem I see here is that designing a managed version which could guarantee security against a wiretap order would be quite difficult. In essence you would have to push all key management issues to your users, and that leaves you a lot less to actually manage.
* Build infrastructure necessary for other developers to build provably secure products on, license this.
* Free consumer versions, paid/managed versions for corporations and governments.
* Things like secure telephony have business models built in where you could charge per minute (or message) (and probably still be less than incumbent carrier minutes).