What does it say about the integrity of the FIPS program, and its
CMTL evaluation process, when it is left to competitors to point out
non-compliance of evaluated products -- proprietary or open source --
to basic architectural requirements of the standard?
_Vin
==============================
At 01:15 PM 12/7/2007, Ed Gerck wrote
Peter Gutmann wrote:
While it's possible to say "There's something we noticed here in
the source code that requires the software to be ejected from the
train", it's a bit harder to say "We spent three months
reverse-engineering someone else's proprietary protected
intellectual property and think we may have found something".
Peter cites an important difference. You may be able to see but you
can't tell.
However, one can still easily reverse-engineer to find the
vulnerability and then present an exploit saying "There's something
we noticed here when the code is executed with this input...".
The conclusion holds that closed-source is now less of a reasonable
argument in terms of /protecting/ source code.
Software-as-a-Service (SaaS), though, would still work in terms of
protecting source code, though, as all you have is a "service
oracle" that does not necessarily reveal code details or flaws. SaaS
could be supplied remotely or locally, with a secure processor card
or secure USB-processor.
Cheers,
Ed Gerck
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
