-Original Message-
From: Ian G [mailto:[EMAIL PROTECTED]
Sent: Monday, October 08, 2007 6:05 AM
To: Peter Gutmann
Cc: [EMAIL PROTECTED]; cryptography@metzdowd.com
Subject: Re: Trillian Secure IM
Peter Gutmann wrote:
Alex Pankratov [EMAIL PROTECTED] writes:
SecureIM
We submitted a letter to the Program Manager, that while they RFP
was asking for an FDE solution, they really needed to focus on Key
Management across the agency, rather than the actual encryption
solution itself, before they deployed any encryption product.
We proposed our open-source
At 02:11 +1300 09.10.2007, Peter Gutmann wrote:
But if you build a FDE product with it you've got to get the entire product
certified, not just the crypto component.
I don't believe this to be the case.
FIPS 140(-2) is about validating cryptographic implementations. It is
not about
| But, opportunistic cryptography is even more fun. It is
| very encouraging to see projects implement cryptography in
| limited forms. A system that uses a primitive form of
| encryption is many orders of magnitude more secure than a
| system that implements none.
|
| Primitive form -
Arshad,
Some of the solutions already include a KMS. One of the key
requirements of this particular RFP was Transparency. Can you please
elaborate more on how StrongKey KMS would have improved on
transparency?
Thanks
saqib
http://security-basics.blogspot.com/
On 10/8/07, Arshad Noor [EMAIL
Saqib,
ALL the solutions include a KMS. They all must, because encryption keys
must be generated, escrowed, recovered, managed, policies defined, etc.
for any encryption to work.
And *that* is the problem - each of the KMSs is implemented in the
vendors own design, using the vendor's
Peter Gutmann wrote:
Ben Laurie [EMAIL PROTECTED] writes:
Peter Gutmann wrote:
Given that it's for USG use, I imagine the FIPS 140 entry barrier for the
government gravy train would be fairly effective in keeping any OSS products
out.
? OpenSSL has FIPS 140.
But if you build a FDE product