How important is FIPS 140-2 Level 1 cert?
Paul Hoffman
paul.hoffman at vpnc.org
Thu Dec 21 19:27:11 EST 2006
At 11:25 AM -0500 12/21/06, Saqib Ali wrote:
>I would like to know how much weight people usually give to the FIPS
>140-2 Level 1 certification.
US federal agencies are supposed to require that certification for
any system they buy that uses crypto.
Sometimes, US state agencies require it as well.
Sometimes, clueless corporations require it because it has the word
"certification" in it and, well, if it's good enough for the feds, it
should be good enough for everyone.
>If two products have exactly same feature set, but one is FIPS 140-2
>Level 1 certified but cost twice. Would you go for it, considering the
>Level 1 is the lowest.
Assuming that the two products use Internet protocols (as compared to
proprietary protocols): no. Probably the only thing that could
differentiate the two is if the cheaper one has a crappy random
number generator, the more expensive one will have a good one.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list