[Cryptography] "Is FIPS 140-2 Actively harmful to software?"

Salz, Rich rsalz at akamai.com
Fri Jun 20 16:32:22 EDT 2014


> I don't think there's any good proof that FIPS certification is indeed better than nothing.

There is only one that I have found: paying customers require it.

Many commercial organizations find that compelling. Many security professionals, especially those in the software business, do not.

In a previous job, I said that once FIPS becomes a requirement, we just give all those customers a free certified HSM as it would be cheaper and more maintainable than trying to get ourselves certified. And this was for a sealed 1U network appliance, not software.  Thankfully, we never went the FIPS route (although we did do Common Criteria...)

--  
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rsalz at jabber.me; Twitter: RichSalz


More information about the cryptography mailing list