Full Disk Encryption solutions selected for US Government use

Ian G iang at systemics.com
Mon Oct 8 16:55:33 EDT 2007

Peter Gutmann wrote:
> Ben Laurie <ben at links.org> writes:
>> Peter Gutmann wrote:

>>> Given that it's for USG use, I imagine the FIPS 140 entry barrier for the
>>> government gravy train would be fairly effective in keeping any OSS products
>>> out.
>> ? OpenSSL has FIPS 140.
> But if you build a FDE product with it you've got to get the entire product
> certified, not just the crypto component.
> (Actually given the vagueness of what's being certified you might be able to
> get away with getting just one corner certified, but then if you have to use a
> SISWG mode you'd need to modify OpenSSL, which in turn means getting another
> certification.  Or the changes you'd need to make to get it to work as a
> kernel driver would require recertification, because you can't just link in
> libssl for that.  Or...).

A slightly off-topic question:  if we accept that current 
processes (FIPS-140, CC, etc) are inadequate indicators of 
quality for OSS products, is there something that can be 
done about it?  Is there a reasonable criteria / process 
that can be built that is more suitable?


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list