I wrote: >Peter ("I define myself to be A BIT CYNICAL about all this").
Since it could appear that I'm gratuitously bashing FIPS 140 (or certification processes in general) here, I should clarify: As with all attempts at one- size-fits-all solutions, one size doesn't quite fit all. You can break the people getting the certification down into three classes: Group 1: Vendors who really care about security, and go well beyond the FIPS 140 requirements anyway. Group 2: Vendors who are generally interested in security, and will polish up their product to meet the FIPS 140 requirements. Group 3: Vendors who want government contracts and see getting to their goal as being a penetration exercise on the certification process. Over time, the certification has been moving from being a value-add performed only by vendors who really care to being a "You must be at least this high to ride the government-contract gravy train" ticket check. During this progression, group 1 membership has remained more or less constant (they've been building secure products for years, with or without the certification), group 2 has grown slowly (mostly for hardware vendors doing level 2-3 stuff), and everything else sort of ends up in group 3 (no-one wants to miss the gravy train). Of the three groups, only group 2 really benefit from the certification requirements. Group 1 is frequently hindered by them because the vendors' security systems and models are far more sophisticated than the FIPS 140 ones, but to get your certification you have to show that it's only at the FIPS 140 level (this situation is a bit like the short story that's been circulating for some years in which systems engineers lobotomise a HAL 9000 so that it can run COBOL and JCL as the market requires). Group 3 just sees it as a paperwork-production exercise, shipping exactly the same product as before, only now they're allowed to sell it to government departments. The problem is that what we really need to be able to evaluate is how committed a vendor is to creating a truly secure product. Saying "You won't get government contracts until you can fill in the checkboxes" seems to be providing entirely the wrong motivation. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]