> In fact, if you're clever, you can manage to not trouble yourself to get
> the key-management, etc. certified, getting only the simple, symmetric-cipher
> stuff run through the process.  

You can, but that doesn't mean that it's ok.

Key management is explicitly covered under FIPS 140-2.  If you have an
underlying FIPS 140-2 module doing the basic low level crypto, and then
have (crypto based) key management performed outside the module boundary,
the larger system is not a FIPS 140-2 module, FIPS 140-2 compliant, or
appropriate for the protection of sensitive but unclassified information
within a federal agency without a separate FIPS 140-2 validation of the
larger module.

> The government will still buy your "encryption devices" (FIPS-140
> certified)

That will greatly depend on the sophistication of the agency concerned.
The US Forest Service (for example) may not have the level understanding
of the FIPS 140-2 standard that the US Navy has.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to