At 11:25 AM -0500 12/21/06, Saqib Ali wrote:
I would like to know how much weight people usually give to the FIPS
140-2 Level 1 certification.
US federal agencies are supposed to require that certification for
any system they buy that uses crypto.
Sometimes, US state agencies require it as well.
Sometimes, clueless corporations require it because it has the word
"certification" in it and, well, if it's good enough for the feds, it
should be good enough for everyone.
If two products have exactly same feature set, but one is FIPS 140-2
Level 1 certified but cost twice. Would you go for it, considering the
Level 1 is the lowest.
Assuming that the two products use Internet protocols (as compared to
proprietary protocols): no. Probably the only thing that could
differentiate the two is if the cheaper one has a crappy random
number generator, the more expensive one will have a good one.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
