Shane Kerr writes: > Your blog article on this is informative: > > https://www.isc.org/blogs/the-crypto-library-disaster/
=> thanks. > Personally I think the insistence on FIPS-2 certification is a bit > misplaced. Certification can actually make organizations less agile in > responding to security problems, thereby ultimately less secure rather > than more. => one can argue the certification is the ultimate external review but in fact in some environments (including one I worked in before joining ISC) you have simply no choice... > Still, some administrators have that requirement, => yes they have so their system providers have and they asked us explicitely to support an alternative to Botan. > so crypto agility is ultimately a good thing. :) => I think you mean backend agility (crypto agility is for instance to allow MD5. SHA1 and SHA2 vs MD5 only). Of course it is a good thing! And note the OpenSSL alternative was proposed before OpenSSL problems so before it becomes obvious that crypto agility is a must. Thanks Francis Dupont <[email protected]> PS: Kea (and DHCP) uses only hash and hmac, things which are implemented in PKCS#11 providers in software, i.e., not using the crypto hardware of HSMs. _______________________________________________ Kea-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/kea-users
