• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] The Joys of FIPS
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] The Joys of FIPS

  • Subject: Re: [Fed-Talk] The Joys of FIPS
  • From: Todd Heberlein <email@hidden>
  • Date: Fri, 20 Sep 2013 12:04:15 -0700
> What is the connection you are retrying to draw with respect to Apple’s Cryptography and FIPS 140-2 Module Validation ?
> The modules neither use BSAFE nor Dual_EC_DRBG and none of the source code was influenced by any government agency.

More general & abstract than any particular product or stamp of approval.

~1991 we were trying to get Sun to make some changes to their BSM audit trails to support better intrusion detection. The question Sun put to us was, “How many more boxes will we sell if we do this?"

I saw similar pushback during this time as vendors tried to get products through the various Orange Book security ratings, building secure “compartmented mode workstations”, etc. All this took a lot of work and time, and the products were usually several releases behind the general commercial versions. I don’t think all that work resulted in significant new sales.

It takes a lot of work and time to go through evaluation processes - hence my reference to the very length approval process for Apple’s FIPS efforts discussed on this mailing list.

Will NIST approvals for a product result in countries like China effectively trying to block or discourage those sales as Congress has tried to do with Huawei products?

As Paul Kedrosky tweeted a few weeks back: "Saying a security algo is 'Approved by the National Security Agency(NSA)' has completely inverted its meaning for me.”

In a nutshell, a company may ask itself, “How many sales will I gain, and how many sales will I lose, by doing X?” for some value of ‘X’. And “Does that justify the time and effort required to do X?”

I fear that if the value of a NIST approval is tainted in general, fewer companies may pursue these stamps of approval, especially if the company has significant overseas sales.

Just a fear I have.

Todd


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: [Fed-Talk] The Joys of FIPS
      • From: "Shawn A. Geddis" <email@hidden>
References: 
 >[Fed-Talk] The Joys of FIPS (From: Todd Heberlein <email@hidden>)
 >Re: [Fed-Talk] The Joys of FIPS (From: "Shawn A. Geddis" <email@hidden>)

  • Prev by Date: Re: [Fed-Talk] The Joys of FIPS
  • Next by Date: [Fed-Talk] Apple Data protection on for all apps now?
  • Previous by thread: Re: [Fed-Talk] The Joys of FIPS
  • Next by thread: Re: [Fed-Talk] The Joys of FIPS
  • Index(es):
    • Date
    • Thread