Re: [Fed-Talk] The Joys of FIPS
Re: [Fed-Talk] The Joys of FIPS
- Subject: Re: [Fed-Talk] The Joys of FIPS
- From: "Shawn A. Geddis" <email@hidden>
- Date: Fri, 20 Sep 2013 12:27:46 -0700
Todd,
Both insightful and well stated!
Thank You - I was not baiting you, simply hoping to ask for clarity on your reference which you did quite nicely.
-Shawn
On Sep 20, 2013, at 12:04 PM, Todd Heberlein <email@hidden> wrote:
>> What is the connection you are retrying to draw with respect to Apple’s Cryptography and FIPS 140-2 Module Validation ?
>> The modules neither use BSAFE nor Dual_EC_DRBG and none of the source code was influenced by any government agency.
>
> More general & abstract than any particular product or stamp of approval.
>
> ~1991 we were trying to get Sun to make some changes to their BSM audit trails to support better intrusion detection. The question Sun put to us was, “How many more boxes will we sell if we do this?"
>
> I saw similar pushback during this time as vendors tried to get products through the various Orange Book security ratings, building secure “compartmented mode workstations”, etc. All this took a lot of work and time, and the products were usually several releases behind the general commercial versions. I don’t think all that work resulted in significant new sales.
>
> It takes a lot of work and time to go through evaluation processes - hence my reference to the very length approval process for Apple’s FIPS efforts discussed on this mailing list.
>
> Will NIST approvals for a product result in countries like China effectively trying to block or discourage those sales as Congress has tried to do with Huawei products?
>
> As Paul Kedrosky tweeted a few weeks back: "Saying a security algo is 'Approved by the National Security Agency(NSA)' has completely inverted its meaning for me.”
>
> In a nutshell, a company may ask itself, “How many sales will I gain, and how many sales will I lose, by doing X?” for some value of ‘X’. And “Does that justify the time and effort required to do X?”
>
> I fear that if the value of a NIST approval is tainted in general, fewer companies may pursue these stamps of approval, especially if the company has significant overseas sales.
>
> Just a fear I have.
>
> Todd
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden