Rich Salz <[EMAIL PROTECTED]> writes: >Sure, that's why it's *the first.* They have never done this before, and it >is very different to how they (or their Ft Meade experts) have done things >before. I suppose one could argue that they're doing this for Level 1 to >increase the industry demand for Level 2, but I'm not that paranoid. I think >they finally "get it."
I think this uniquely broad certification, if permitted, would be mostly a sign that the politicians have finally won out over the certification purists. Let me explain... it's been known for a long time (at least from talking to evaluators, I don't know if NIST will admit to it) that there's large-scale use of unevaluated crypto going on, with the FIPS eval requirement being ignored by USG agencies, contractors, etc etc whenever it gets in the way of them getting their job done. If NIST allow this extremely broad certification, it'd be a sign that they're following the Calvin and Hobbes recipe for success: "The secret to [success] is to lower your expectations to the point where they're already met". In other words the unevaluated crypto problem (or a major part of it) suddenly goes away, and it's possible to report that the certification effort has been wonderfully successful, because a large portion of the noncompliant usage is (at least on paper) magically made compliant overnight. The only potential downside to this is that a pile of vendors who previously got a very narrowly-interpreted certification will presumably be queueing up to do the "I'll have what she's having" thing as soon as an open-ended certification is issued. As with others who have commented on this, I'm going to believe this when I see it. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
