Re: [Fed-Talk] FIPS 140-2
Re: [Fed-Talk] FIPS 140-2
- Subject: Re: [Fed-Talk] FIPS 140-2
- From: LTC Skip Harborth <email@hidden>
- Date: Mon, 14 May 2007 09:15:21 -0400
So can anybody out there say when Apple is "gonna wake up and smell
the coffee". They've got a foot hold (or should I say toe hold) in
the Department of Defense at both the Pentagon and Walter Reed, but
my fear is they're gonna lose that if they don't listen to the needs
of a major customer.
Just my 2 Cents.
Skip Harborth
On 14 May 2007, at 7:33 AM, Wm. Cerniuk wrote:
hard sell until it's actually validated, since it requires the DAA
to sign off on an exception.
Very true... and the DAA has to think "is this worth the potential
personal embarrassment or possibly a career?" Were I the DAA, the
answer would be "no".
I started inquiring July 2004 about FIPS certification for
FileVault. There seems to be no FIPS timeline, only the state of
affairs that Shawn posted earlier to the list. Shawn has been as
helpful possible, but the only thing that matters is Apple's crypto
module being listed as certified. Anything else and we are only
sorta-pregnant.
I would suggest that Apple may consider throwing away their crypto
module and license PGP's which is already certified. On the surface
of it, this would:
1) adhere to the "open standards open source" adoption wave for Mac
OS X
2) achieve FIPS 140-2 certification over night (the module is
certified, not the implementation)
3) alleviate the cost and development burden of AES in the OS.
There would be some kind of licensing agreement as PGP is open
source but not public domain. It is not like Apple has not done
that before with other products (fax) ... and then substituted
(fax) their own (fax) implementation in later.
Very Respectfully,
Wm. Cerniuk
Project Manager / Sr. Systems Architect
Veterans Affairs
877.529.5730 (toll free)
Time is Short, and the Water Rises
On May 8, 2007, at 9:33 AM, Amanda Walker wrote:
On May 7, 2007, at 4:53 PM, Wm.Cerniuk wrote:
I received the marching orders on this last friday in the
presence of the director of enterprise architecture who was
impressed with the operation of FileVault but... there is that
OMB business... Imagine if we lost a Mac and the news started
hounding that while it was encrypted it was not encrypted to
government specification.
This was the same issue I ran into working on stuff for the Army--
regardless of the technical merits, AR 25-2 has no "or equivalent"
clause: "All ISs [information systems] will employ protection
mechanisms that satisfy criteria for basic, medium, or high levels
of robustness per DODI 8500.2 and Federal Information Processing
Standard (FIPS) 140–2." Many DAAs interpret this as "all systems
must employ a FIPS 140-2 validated solution." FileVault is a hard
sell until it's actually validated, since it requires the DAA to
sign off on an exception.
Amanda Walker
email@hidden
--
Producing a system from a specification is like walking on water--
it's easier if it's frozen.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40us.army.mil
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden