hard sell until it's actually validated, since it requires the DAA
to sign off on an exception.
Very true... and the DAA has to think "is this worth the potential
personal embarrassment or possibly a career?" Were I the DAA, the
answer would be "no".
I started inquiring July 2004 about FIPS certification for
FileVault. There seems to be no FIPS timeline, only the state of
affairs that Shawn posted earlier to the list. Shawn has been as
helpful possible, but the only thing that matters is Apple's crypto
module being listed as certified. Anything else and we are only
sorta-pregnant.
I would suggest that Apple may consider throwing away their crypto
module and license PGP's which is already certified. On the surface
of it, this would:
1) adhere to the "open standards open source" adoption wave for Mac
OS X
2) achieve FIPS 140-2 certification over night (the module is
certified, not the implementation)
3) alleviate the cost and development burden of AES in the OS.
There would be some kind of licensing agreement as PGP is open
source but not public domain. It is not like Apple has not done that
before with other products (fax) ... and then substituted (fax)
their own (fax) implementation in later.