[Cryptography] VCAT report on NIST's process review

Phillip Hallam-Baker phill at hallambaker.com
Wed Jul 16 13:22:26 EDT 2014


On Wed, Jul 16, 2014 at 2:18 AM, Dave Horsfall <dave at horsfall.org> wrote:

> On Wed, 16 Jul 2014, Peter Gutmann wrote:
>
> > It's the ISO 9000 of security measures, keep doing what we've always
> > done but now there's a Documented Procedure in the Quality Manual for
> > it.
>
> I actually did an ISO-9000 course.  Waste of time.  As you hinted, your
> goal could be to make the worst product of all time, and provided that it
> was documented thus (and you strived to make it thus), you too could be
> ISO certified.
>

ISO-9000 is really a standard for auditing a manufacturing process. The
purpose is to enable an astute and knowledgable customer to outsource
manufacturing. You still have to read the process descriptions that were
audited. Only those are often trade secrets(!)

It is the same with PKI. You can indeed write a CPS that says 'we give any
certificate to anyone who asks' and you will be fully compliant with the
IETF RFCs. You would not however be compliant with the CABForum Certificate
Policy requirements and your applications to get your root included would
likely be rejected.


BTW, the other thing ISO 9000 is really good for is documenting a
manufacturing process before shipping the jobs offshore.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140716/d08ada27/attachment.html>


More information about the cryptography mailing list