The fact that something occurs routinely doesn't actually make it a good idea. I've seen stuff in FIPS 140 evaluations that makes my skin crawl.
This is CRI, so I'm fairly confident nobody is cutting corners. But that doesn't mean the practice is a good one. On Jun 18, 2012, at 5:52 AM, Paweł Krawczyk <[email protected]> wrote: > Well, who otherwise should pay for that? Consumer Federation of America? > It's quite normal practice for a vendor to contract a 3rd party that > performs a security assessment or penetration test. If you are a smartcard > vendor it's also you who pays for Common Criteria certification of your > product. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Francois Grieu > Sent: Monday, June 18, 2012 11:04 AM > To: [email protected] > Subject: Re: [cryptography] Intel RNG > > [email protected] wrote: > >> CRI has published an independent review of the RNG behind the RdRand >> instruction: >> http://www.cryptography.com/public/pdf/Intel_TRNG_Report_20120312.pdf > > where *independent* is to be taken as per this quote: > "This report was prepared by Cryptography Research, Inc. (CRI) > under contract to Intel Corporation" > > Francois Grieu > > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography > > > > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
