> In fact, if you're clever, you can manage to not trouble yourself to get > the key-management, etc. certified, getting only the simple, symmetric-cipher > stuff run through the process.
You can, but that doesn't mean that it's ok. Key management is explicitly covered under FIPS 140-2. If you have an underlying FIPS 140-2 module doing the basic low level crypto, and then have (crypto based) key management performed outside the module boundary, the larger system is not a FIPS 140-2 module, FIPS 140-2 compliant, or appropriate for the protection of sensitive but unclassified information within a federal agency without a separate FIPS 140-2 validation of the larger module. > The government will still buy your "encryption devices" (FIPS-140 > certified) That will greatly depend on the sophistication of the agency concerned. The US Forest Service (for example) may not have the level understanding of the FIPS 140-2 standard that the US Navy has. Josh --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]