Greg,
I was the one who asked about FIPS 140-2 certification, and I'm still looking
forward to seeing an announcement from MF on this subject.
Although it's true that NSS 3.2.2's FIPS 140-1 certification is 3.5 years old,
would you believe Microsoft's Windows 2000 (for IE) cert is even older? That
certificate (#106) goes back to 7/31/2000. Oddly enough, the FIPS.SYS file
v5.0.2195.1569 referenced in the certificate is actually dated 5/04/2001. I've
asked our corporate Microsoft rep to explain that, but all I've heard in reply
is the sound of crickets.
If FIPS-140 certification rules were to be rigorously enforced for any reason,
one of two things would happen:
(1) No contemporary browser would be allowed, since all their code modules have
changed since they were certified and none is current. This would shut down all
use of the web in the Federal government. (Not very likely.)
(2) The lawyers and auditors would re-read the statutes and policies, then
declare that FIPS-140 certification is only a requirement for National Security
Information (read: classified) processing.
I'm no lawyer, but I can read the applicable statutes as well as the next
person, and I personally believe (2) is the right answer. However, I'm not the
local sheriff here and don't speak for the AF. In reality there is a zeroeth
choice:
(0) Do not, under any circumstances, ask the question in an official capacity
the first place. ("Don't ask the question if you can't stand the answer.") This
avoids having to decide between (1) and (2).
And that's the limbo we exist in today.
--Doc
Robert G. (Doc) Savage, CISSP, RHCE, GCIA
AFCA/EACR, ETAS Support Contractor
BAE Systems Information Technology
Voice: (618) 229-6381�� DSN: 779-6381
Fax: (618) 229-5339
E-mail: [EMAIL PROTECTED]
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
