Flaws in OpenSSL FIPS Object Module
Ed Gerck
edgerck at nma.com
Mon Dec 10 14:56:40 EST 2007
Vin McLellan wrote:
>
> What does it say about the integrity of the FIPS program, and its CMTL
> evaluation process, when it is left to competitors to point out
> non-compliance of evaluated products -- proprietary or open source -- to
> basic architectural requirements of the standard?
Enter Reality 2.0. Yesterday, security was based on authority --
on some particular agency or expert. Today, security is /also/ based
on anyone else that can point out non-compliance, and solutions.
The integrity of the FIPS program, and any other evaluation process,
can only increase when [x] are also able (entirely on their own and
not by a mandate) to point out non-compliance of evaluated products
-- proprietary or open source -- to basic architectural requirements
of the standard. Here [x] = competitors, attackers, outside experts,
anyone in general.
Cheers,
Ed Gerck
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list