[Cryptography] "Is FIPS 140-2 Actively harmful to software?"

[Dirk-Willem van Gulik]

Op 20 jun. 2014, om 18:34 heeft ianG <iang at iang.org> het volgende geschreven:

> On 20/06/2014 15:30 pm, Dirk-Willem van Gulik wrote:
>> 
>> Op 20 jun. 2014, om 15:11 heeft Ben Laurie <ben at links.org> het volgende geschreven:
>> 
>>> On 20 June 2014 14:00, Jerry Leichter <leichter at lrw.com> wrote:
>>>> He never quite says "yes" but he clearly thinks it.
>>> 
>>> I think it, too. I did the beginning of the first implementation for
>>> OpenSSL, and I hated it then. For example, they made me remove the
>>> inclusion of the PID in the random pool (which prevents duplicate
>>> randomness after a fork).
>> Arguably it got worse and slower.  
>> 
>> And yes, It is very easy to rally behind this type of sentiment; the stupidity; the inefficiency of good design processes done by committee and the meagre output of their output; especially given the immense volume and quality of individual inputs. 
>> 
>> If there ever was a competition for a crap one with substandard governance - FIPS would do well in that race!
>> 
>> However I’d caution agains going too far and de-facto/industry wise killing it by voting with our feet.
>> 
>> Without FIPS (or a similar standard), no matter how low or bad, we loose ‚aim’.
> 
> 
> I disagree with your pessimism.  The common factor for FIPS, Mont Blanc
> and Dutch dykes-with-roofs is this:  government.
> 
> And the whole politician effect.

Actually - while I used a government example; to illustrate the politics - it was the large (commercial) customers I was mostly thinking off. In my experience government situations are somewhat more isolated form this as they toe specific rules and regulations; which are not as easily changed or ignored. And the politics there is much the same.

Dw.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140621/ff474d38/attachment.html>