On Thu, 21 Mar 2019 16:57:14 -0700 (PDT) Eric Grosse <gro...@gmail.com> wrote:
I apologize for being too terse. I in no way meant to undermine the FIPS procedure's value as a remedy to the real problem of knowing what code (and/or hardware) runs in security sensitive environments. Just stated the obvious, that for the vendor it is the much bureaucratic process that cost money and time. > > It will not lose its validation even if it has a bug. > > If it will fix this bug its validation is lost. > But again I'm sure you could win an argument with an auditor. I meant that after a bugfix release vendor has to submit its code again for review. The Implementation Guidance section G.8 “Revalidation requirements” was worked on 2016-2018 and is in force for less than a year now. Even with its 3A path (for CVE reported holes with small and obvious fixes) that is now exempt from the NIST fee, walking 3A still bears costs of staff and time. Only after that certificate will be updated **and only then** your bugfix version will be considered validated and buggy old version invalidated. If for whatever reason you can not get to the 3A fast lane, you need to be prepared to fees and time of 3SUB (while the old version still is "validated"). TC, P.S. this clarification should be the last message in this thread as it is not really on topic for go-nuts list. Feel free to discuss it further in private, though :). -- Wojciech S. Czarnecki << ^oo^ >> OHIR-RIPE -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
