I wrote:

>Peter ("I define myself to be A BIT CYNICAL about all this").

Since it could appear that I'm gratuitously bashing FIPS 140 (or certification
processes in general) here, I should clarify: As with all attempts at one-
size-fits-all solutions, one size doesn't quite fit all.  You can break the
people getting the certification down into three classes:

  Group 1: Vendors who really care about security, and go well beyond the FIPS
    140 requirements anyway.

  Group 2: Vendors who are generally interested in security, and will polish
    up their product to meet the FIPS 140 requirements.

  Group 3: Vendors who want government contracts and see getting to their goal
    as being a penetration exercise on the certification process.

Over time, the certification has been moving from being a value-add performed
only by vendors who really care to being a "You must be at least this high to
ride the government-contract gravy train" ticket check.  During this
progression, group 1 membership has remained more or less constant (they've
been building secure products for years, with or without the certification),
group 2 has grown slowly (mostly for hardware vendors doing level 2-3 stuff),
and everything else sort of ends up in group 3 (no-one wants to miss the gravy

Of the three groups, only group 2 really benefit from the certification
requirements.  Group 1 is frequently hindered by them because the vendors'
security systems and models are far more sophisticated than the FIPS 140 ones,
but to get your certification you have to show that it's only at the FIPS 140
level (this situation is a bit like the short story that's been circulating
for some years in which systems engineers lobotomise a HAL 9000 so that it can
run COBOL and JCL as the market requires).  Group 3 just sees it as a
paperwork-production exercise, shipping exactly the same product as before,
only now they're allowed to sell it to government departments.  The problem is
that what we really need to be able to evaluate is how committed a vendor is
to creating a truly secure product.  Saying "You won't get government
contracts until you can fill in the checkboxes" seems to be providing entirely
the wrong motivation.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to