[Cryptography] "Is FIPS 140-2 Actively harmful to software?"
Dirk-Willem van Gulik
dirkx at webweaving.org
Sat Jun 21 09:55:58 EDT 2014
Op 20 jun. 2014, om 18:34 heeft ianG <iang at iang.org> het volgende geschreven:
> On 20/06/2014 15:30 pm, Dirk-Willem van Gulik wrote:
>>
>> Op 20 jun. 2014, om 15:11 heeft Ben Laurie <ben at links.org> het volgende geschreven:
>>
>>> On 20 June 2014 14:00, Jerry Leichter <leichter at lrw.com> wrote:
>>>> He never quite says "yes" but he clearly thinks it.
>>>
>>> I think it, too. I did the beginning of the first implementation for
>>> OpenSSL, and I hated it then. For example, they made me remove the
>>> inclusion of the PID in the random pool (which prevents duplicate
>>> randomness after a fork).
>> Arguably it got worse and slower.
>>
>> And yes, It is very easy to rally behind this type of sentiment; the stupidity; the inefficiency of good design processes done by committee and the meagre output of their output; especially given the immense volume and quality of individual inputs.
>>
>> If there ever was a competition for a crap one with substandard governance - FIPS would do well in that race!
>>
>> However I’d caution agains going too far and de-facto/industry wise killing it by voting with our feet.
>>
>> Without FIPS (or a similar standard), no matter how low or bad, we loose ‚aim’.
>
>
> I disagree with your pessimism. The common factor for FIPS, Mont Blanc
> and Dutch dykes-with-roofs is this: government.
>
> And the whole politician effect.
Actually - while I used a government example; to illustrate the politics - it was the large (commercial) customers I was mostly thinking off. In my experience government situations are somewhat more isolated form this as they toe specific rules and regulations; which are not as easily changed or ignored. And the politics there is much the same.
Dw.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140621/ff474d38/attachment.html>
More information about the cryptography
mailing list