I agree the current situation is profoundly broken. It's extremely goofy that the government requires itself to use software that, by the time it's validated, is obsolete. I could understand, but would really hate, if Apple or other companies were to say
they just didn't want to play the game. Having every other government in the world considering FIPS compliance a big negative when buying things sure doesn't help the situation.
iOS isn't really such a big deal for us at NASA, since we really don't support encryption on iOS beyond requiring device encryption be activated to store our non-SBU (anything sensitive should be PKI encrypted, and we're not supposed to have our PKI keys
on the device) email. Users are rapidly updating to iOS 7.
On the other hand, having FIPS 140-2 compliance for ML is a huge win, since we can potentially sell moving to FileVault II instead of a 3rd party product that's unpleasant to use and is destroying disks like nobody's business. The fact that we'll probably
have to wait 6 months plus (possibly plus 6, 12, or 18!) to move to Mavericks (whichever WDE product we use) is pretty frustrating. We're just now moving to ML from Snow Leopard, and I'm pretty thrilled it's ML instead of Lion.
On Sep 20, 2013, at 2:18 PM, "Shawn A. Geddis" < email@hidden>
wrote:
On Sep 20, 2013, at 11:22 AM, Walls, Bryan K. (MSFC-EO50) < email@hidden> wrote:
Perhaps the point is that all of the NSA discussion has moved the "FIPS 140-2 Compliant" label from having the connotation of "this was secure two years ago" that we're all used to into "this may be PWND by the NSA." Which is bad news for those of us who need
it, since it makes even less of an attractive investment for companies like Apple.
What's your take on the time table for iOS7 being FIPS 140-2 Compliant? Is the pipeline any shorter now than for iOS 6?
Bryan,
I believe there has been much misunderstanding about FIPS 140 within the federal space for quite sometime. I am continually/daily perplexed at the assumptions/expectations/beliefs people have related to FIPS 140 module validation.
In my opinion, a final version of FIPS 140-3 will probably never see the light of day and will eventually be superseded by
ISO/IEC 19790 for a more global focus and hopeful then will we have a reasonable turnaround time in validations. Ten months for a vendor and all of their customers to wait on a validation is simply, well -
unacceptable. Another example of the bad Guys get to use whatever they want while the good guys (you all) are forced to stand and wait on the sidelines. Many of you have heard me say this before but, despite the good people in CMVP (and I do mean that),
the process is horribly broken and needs to be fixed asap.
FIPS 140-? ==> ISO/IEC 19790 Security requirements for cryptographic modules
The “queue” for products awaiting to be accepted into “In Review” (meaning they appear as “Review Pending”), remains at 6+ months for everyone. At this rate you all will forever be shackled to run older, possibly even
deprecated products in your environments - that reality until things change.
- Shawn
________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Enterprise Division
|