[Cryptography] The lie of FIPS

[Richard Outerbridge]

On 2013-12-04 (338), at 17:49:51, Mark Seiden <mis at seiden.com> wrote:

[….]

> the device could comply with fips 140 level 4, if only anyone were willing to pay the $200k in certification
> costs for a device that costs $50 in parts cost to make...

The last time I checked FIPS certification of Banking HSMs (Hardware Security Modules) _only_ covered the loading
of vendor certified software into the module.  In other words, the HSM was only certified to be able to securely
load vendor certified software.  There was no implicit or explicit guarantee that the thereupon loaded software
could be relied upon to operate securely.
__outer