Flaws in OpenSSL FIPS Object Module

Ed Gerck edgerck at nma.com
Mon Dec 10 14:56:40 EST 2007


Vin McLellan wrote:
> 
> What does it say about the integrity of the FIPS program, and its CMTL 
> evaluation process, when it is left to competitors to point out 
> non-compliance of evaluated products -- proprietary or open source -- to 
> basic architectural requirements of the standard?

Enter Reality 2.0. Yesterday, security was based on authority --
on some particular agency or expert. Today, security is /also/ based
on anyone else that can point out non-compliance, and solutions.

The integrity of the FIPS program, and any other evaluation process,
can only increase when [x] are also able (entirely on their own and
not by a mandate) to point out non-compliance of evaluated products
-- proprietary or open source -- to basic architectural requirements
of the standard. Here [x] = competitors, attackers, outside experts,
anyone in general.

Cheers,
Ed Gerck

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list