Re: [Fed-Talk] Re: FIPS 140-2 discussion... Apple's CSP certification
Re: [Fed-Talk] Re: FIPS 140-2 discussion... Apple's CSP certification
- Subject: Re: [Fed-Talk] Re: FIPS 140-2 discussion... Apple's CSP certification
- From: "Shawn A. Geddis" <email@hidden>
- Date: Fri, 15 May 2009 11:22:20 -0400
Please do not hold anyone at NIST or the Lab responsible for the time
it is taking with the Apple Crypto Module.
That is work I am leading out in and it takes time and lots of work!!!
I wish I could provide an ETA, but believe me, any timeline I provide
would end up no longer being valid moments after I provided it.
-Shawn
On May 15, 2009, at 10:59 AM, Peter Link wrote:
It would also be nice if NIST would get Apple's Cryptographic
Service Provider (CSP) module passed the IUT stage. For those sites
that depend on the formal certification to get their DAA to accept
the risk, this certification is critical. (any news Shawn?)
On May 15, 2009, at 7:47 AM, Amanda Walker wrote:
On Fri, May 15, 2009 at 10:17 AM, Shawn A. Geddis
<email@hidden> wrote:
I strongly agree with Amanda / Tim on the FIPS 140-2 Conformance
Validation
comments. The process and its understanding does not lend itself
well to
folks who do not spend the time getting their fingers dirty. The
unfortunate result is that it gets forced as a checkbox item without
customers spending much time with the implementation approach.
Most all
products are using the same well known algorithms. How they
differ the most
is their protection and management of the keys. Not all products
are
created equal.
Indeed. Defeating a security product via cryptanalysis is extremely
rare--because it's usually unnecessary. Key distribution and
handling
is very, very hard to get right. This is why software-only products
can only get to level 2 compliance, for example--to comply with 3 or
4, you need a hardware crypto module that keeps the keys out of the
main machine's hands and zeros them at any sign of tampering,
specifically to guard against hardware attacks (like the "freeze the
RAM" stuff that made the news last year).
Speaking of such things, it sure would be nice to have a hardened
ExpressCard for my MacBook Pro that I could stick the equivalent of a
KSD-64 into to unlock my machine :-).
--Amanda
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
email@hidden
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden