[Cryptography] "Is FIPS 140-2 Actively harmful to software?"
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Jun 20 17:58:31 EDT 2014
Jerry Leichter <leichter at lrw.com> writes:
>He never quite says "yes" but he clearly thinks it.
>
>https://blogs.oracle.com/darren/entry/fips_140_2_actively_harmful
Supporting the "actively harmful" argument could go either way, but the case
for "actively worthless" is easier to defend. In terms of verifying a crypto
implementation, your $100K FIPS-140 certification does less for you than a TLS
connection to amazon.com.
I was joking recently with some other security people that a much more
entertaining way of getting what FIPS 140 gives you, namely an indication of
how desperate a vendor is to sell to USG customers, would be to post a Youtube
video of yourself setting fire to a $100K mound of US$20 notes.
Peter.
More information about the cryptography
mailing list