Vin McLellan wrote:
What does it say about the integrity of the FIPS program, and its CMTL evaluation process, when it is left to competitors to point out non-compliance of evaluated products -- proprietary or open source -- to basic architectural requirements of the standard?
Enter Reality 2.0. Yesterday, security was based on authority -- on some particular agency or expert. Today, security is /also/ based on anyone else that can point out non-compliance, and solutions. The integrity of the FIPS program, and any other evaluation process, can only increase when [x] are also able (entirely on their own and not by a mandate) to point out non-compliance of evaluated products -- proprietary or open source -- to basic architectural requirements of the standard. Here [x] = competitors, attackers, outside experts, anyone in general. Cheers, Ed Gerck --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]