Re: [Fed-Talk] FIPS 140-2
Re: [Fed-Talk] FIPS 140-2
- Subject: Re: [Fed-Talk] FIPS 140-2
- From: "Wm. Cerniuk" <email@hidden>
- Date: Mon, 14 May 2007 07:33:06 -0400
hard sell until it's actually validated, since it requires the DAA
to sign off on an exception.
Very true... and the DAA has to think "is this worth the potential
personal embarrassment or possibly a career?" Were I the DAA, the
answer would be "no".
I started inquiring July 2004 about FIPS certification for FileVault.
There seems to be no FIPS timeline, only the state of affairs that
Shawn posted earlier to the list. Shawn has been as helpful
possible, but the only thing that matters is Apple's crypto module
being listed as certified. Anything else and we are only sorta-
pregnant.
I would suggest that Apple may consider throwing away their crypto
module and license PGP's which is already certified. On the surface
of it, this would:
1) adhere to the "open standards open source" adoption wave for Mac OS X
2) achieve FIPS 140-2 certification over night (the module is
certified, not the implementation)
3) alleviate the cost and development burden of AES in the OS.
There would be some kind of licensing agreement as PGP is open source
but not public domain. It is not like Apple has not done that before
with other products (fax) ... and then substituted (fax) their own
(fax) implementation in later.
Very Respectfully,
Wm. Cerniuk
Project Manager / Sr. Systems Architect
Veterans Affairs
877.529.5730 (toll free)
Time is Short, and the Water Rises
On May 8, 2007, at 9:33 AM, Amanda Walker wrote:
On May 7, 2007, at 4:53 PM, Wm.Cerniuk wrote:
I received the marching orders on this last friday in the presence
of the director of enterprise architecture who was impressed with
the operation of FileVault but... there is that OMB business...
Imagine if we lost a Mac and the news started hounding that while
it was encrypted it was not encrypted to government specification.
This was the same issue I ran into working on stuff for the Army--
regardless of the technical merits, AR 25-2 has no "or equivalent"
clause: "All ISs [information systems] will employ protection
mechanisms that satisfy criteria for basic, medium, or high levels
of robustness per DODI 8500.2 and Federal Information Processing
Standard (FIPS) 140–2." Many DAAs interpret this as "all systems
must employ a FIPS 140-2 validated solution." FileVault is a hard
sell until it's actually validated, since it requires the DAA to
sign off on an exception.
Amanda Walker
email@hidden
--
Producing a system from a specification is like walking on water--
it's easier if it's frozen.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden