[Cryptography] "Is FIPS 140-2 Actively harmful to software?"
Salz, Rich
rsalz at akamai.com
Fri Jun 20 16:32:22 EDT 2014
> I don't think there's any good proof that FIPS certification is indeed better than nothing.
There is only one that I have found: paying customers require it.
Many commercial organizations find that compelling. Many security professionals, especially those in the software business, do not.
In a previous job, I said that once FIPS becomes a requirement, we just give all those customers a free certified HSM as it would be cheaper and more maintainable than trying to get ourselves certified. And this was for a sealed 1U network appliance, not software. Thankfully, we never went the FIPS route (although we did do Common Criteria...)
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rsalz at jabber.me; Twitter: RichSalz
More information about the cryptography
mailing list