[Cryptography] "Is FIPS 140-2 Actively harmful to software?"
Ben Laurie
ben at links.org
Fri Jun 20 09:11:12 EDT 2014
On 20 June 2014 14:00, Jerry Leichter <leichter at lrw.com> wrote:
> He never quite says "yes" but he clearly thinks it.
I think it, too. I did the beginning of the first implementation for
OpenSSL, and I hated it then. For example, they made me remove the
inclusion of the PID in the random pool (which prevents duplicate
randomness after a fork).
It hasn't got any better.
> https://blogs.oracle.com/darren/entry/fips_140_2_actively_harmful
>
> On a related note, pointed to from another blog entry: NIAP has recommended against further development of or evaluation against the Common Criteria profiles for general-purpose OS's and DBMS's:
>
> https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/GPOS%20Position%20Statement.pdf
>
> https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/DBMS%20Position%20Statement.pdf
>
> (Just for good measure, they say the same about "Enterprise Security Management Products".)
>
> OK, it's time for a set of acronyms and a bunch of new paperwork to keep the security/industrial complex - all those consultants ringing DC - fully employed (er, "guaranteeing the security of our critical infrastructure".)
>
> -- Jerry
>
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
More information about the cryptography
mailing list