Rich Salz <[EMAIL PROTECTED]> writes:

>Sure, that's why it's *the first.*  They have never done this before, and it
>is very different to how they (or their Ft Meade experts) have done things
>before.  I suppose one could argue that they're doing this for Level 1 to
>increase the industry demand for Level 2, but I'm not that paranoid.  I think
>they finally "get it."

I think this uniquely broad certification, if permitted, would be mostly a
sign that the politicians have finally won out over the certification purists.
Let me explain... it's been known for a long time (at least from talking to
evaluators, I don't know if NIST will admit to it) that there's large-scale
use of unevaluated crypto going on, with the FIPS eval requirement being
ignored by USG agencies, contractors, etc etc whenever it gets in the way of
them getting their job done.  If NIST allow this extremely broad
certification, it'd be a sign that they're following the Calvin and Hobbes
recipe for success: "The secret to [success] is to lower your expectations to
the point where they're already met".  In other words the unevaluated crypto
problem (or a major part of it) suddenly goes away, and it's possible to
report that the certification effort has been wonderfully successful, because
a large portion of the noncompliant usage is (at least on paper) magically
made compliant overnight.

The only potential downside to this is that a pile of vendors who previously
got a very narrowly-interpreted certification will presumably be queueing up
to do the "I'll have what she's having" thing as soon as an open-ended
certification is issued.

As with others who have commented on this, I'm going to believe this when I
see it.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to