Peter Gutmann wrote:
Ben Laurie <[EMAIL PROTECTED]> writes:
Peter Gutmann wrote:
Given that it's for USG use, I imagine the FIPS 140 entry barrier for the
government gravy train would be fairly effective in keeping any OSS products
out.
? OpenSSL has FIPS 140.
But if you build a FDE product with it you've got to get the entire product
certified, not just the crypto component.
(Actually given the vagueness of what's being certified you might be able to
get away with getting just one corner certified, but then if you have to use a
SISWG mode you'd need to modify OpenSSL, which in turn means getting another
certification. Or the changes you'd need to make to get it to work as a
kernel driver would require recertification, because you can't just link in
libssl for that. Or...).
A slightly off-topic question: if we accept that current
processes (FIPS-140, CC, etc) are inadequate indicators of
quality for OSS products, is there something that can be
done about it? Is there a reasonable criteria / process
that can be built that is more suitable?
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
