Flaws in OpenSSL FIPS Object Module

[Vin McLellan]

What does it say about the integrity of the FIPS program, and its 
CMTL evaluation process, when it is left to competitors to point out 
non-compliance of evaluated products -- proprietary or open source -- 
to basic architectural requirements of the standard?

_Vin


==============================

At 01:15 PM 12/7/2007, Ed Gerck wrote

Peter Gutmann wrote:
>>While it's possible to say "There's something we noticed here in 
>>the source code that requires the software to be ejected from the 
>>train", it's a bit harder to say "We spent three months 
>>reverse-engineering someone else's proprietary protected 
>>intellectual property and think we may have found something".
>
>Peter cites an important difference. You may be able to see but you 
>can't tell.
>
>However, one can still easily reverse-engineer to find the 
>vulnerability and then present an exploit saying "There's something 
>we noticed here when the code is executed with this input...".
>
>The conclusion holds that closed-source is now less of a reasonable 
>argument in terms of /protecting/ source code.
>
>Software-as-a-Service (SaaS), though, would still work in terms of 
>protecting source code, though, as all you have is a "service 
>oracle" that does not necessarily reveal code details or flaws. SaaS 
>could be supplied remotely or locally, with a secure processor card 
>or secure USB-processor.
>
>Cheers,
>Ed Gerck
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com