Fixing the current process
Paul Hoffman
paul.hoffman at vpnc.org
Tue Oct 9 10:20:14 EDT 2007
At 10:55 PM +0200 10/8/07, Ian G wrote:
>A slightly off-topic question: if we accept that current processes
>(FIPS-140, CC, etc) are inadequate indicators of quality for OSS
>products, is there something that can be done about it?
Highly doubtful. The institutional inertia at DoD/NIST is too great.
It has been suggested numerous times by numerous concerned parties
for at least a decade.
>Is there a reasonable criteria / process that can be built that is
>more suitable?
Yes. That part is easy, and some people in the system admit designing
a much better system is quite tractable, as long as it is done in a
vacuum. However, bureaucracy abhors a vacuum.
My feeling is that the only way that we can overturn the silliness of
FIPS-140 / CC is for a major defense ally to implement a sane system.
Five years later, and with a lot of vendor push, it could become a
third process and the other two could wither over the ensuing
decades. If we're lucky.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list