Fixing the current process

Paul Hoffman paul.hoffman at
Tue Oct 9 10:20:14 EDT 2007

At 10:55 PM +0200 10/8/07, Ian G wrote:
>A slightly off-topic question:  if we accept that current processes 
>(FIPS-140, CC, etc) are inadequate indicators of quality for OSS 
>products, is there something that can be done about it?

Highly doubtful. The institutional inertia at DoD/NIST is too great. 
It has been suggested numerous times by numerous concerned parties 
for at least a decade.

>Is there a reasonable criteria / process that can be built that is 
>more suitable?

Yes. That part is easy, and some people in the system admit designing 
a much better system is quite tractable, as long as it is done in a 
vacuum. However, bureaucracy abhors a vacuum.

My feeling is that the only way that we can overturn the silliness of 
FIPS-140 / CC is for a major defense ally to implement a sane system. 
Five years later, and with a lot of vendor push, it could become a 
third process and the other two could wither over the ensuing 
decades. If we're lucky.

--Paul Hoffman, Director
--VPN Consortium

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list