Kyle Hamilton wrote: > On Dec 2, 2007 4:31 PM, Steve Marquess <[EMAIL PROTECTED]> wrote: > >> Kyle Hamilton wrote: >> >>> I just want to have the opportunity to know that what is submitted >>> will actually run on the platform I must use. >>> >>> ... <big snip> ... Kyle, you raise a number of good points that I'll respond to piecemeal as time permits.
> The flaw is in the CMVP policies and procedures, in their basic design > and presumptions -- but we can't change those. (The primary flaw is > this assumption: "all organizations have a vested interest in > preventing their implementation details from being made public." The > entire process has been built around that assumption. Since OpenSSL's > validations, they've been likely revisiting this and causing new > requirements to be made available, but they're still bound by > regulation and statute that prescribe a specific means of handling the > modules they work with. They really don't have the flexibility > required to adapt to this other, more public model any more quickly > than they have been.) Well put. I do think they have been trying hard to adapt. > >> I think your tone is typical of spirited discussions in open forums like >> this and no offense is taken on my part. I've had to deal with much >> worse in other less public forums. I can tell you that this kind of >> "frank exchange of views" does not play well everywhere, most >> bureaucracies (not just the CMVP) have very different ways of working >> and establishing consensus. So please please please direct all flames >> at me and not at them. >> > > ...funny, I have only the sketchiest of information on who those > bureaucracies would be, and no information on contacts within them to > flame. How would I direct the flames? To whom would I direct the > flames? And if the flames were viewed as generated by the openssl > validation, what would exist to prevent the ire raised by the heat > from being directed back at openssl's future validations? It'd be > daft to direct my opinions anywhere /but/ here. > > I also don't direct flames personally, if I can avoid it. > Organizations are abstract, but people are people and it does not help > to insult, defame, or otherwise cause problems. Especially when > trying to effect changes in organizations that people are part of Figuring out contact info for the roughly half-dozen individuals in the CMVP isn't difficult. During the original validation saga a number of netizens did indeed send them some unsolicited asbestos-suit-grade E-mails. The CMVP toils in a fairly obscure area well removed from the limelight and normally only corresponds directly with the accredited test labs who, understandably, are rather deferential. I understand there was a bit of culture shock and hope to avoid a repeat. From our software engineering perspective some of the CMVP actions appear puzzling and even hostile to open source, but I'm convinced that these bureaucrats are sincerely trying to do the right thing in the context of the very restrictive rules and precedents associated with FIPS 140-2. Flaming them doesn't help. You know that, but not everyone does. -Steve M. -- Steve Marquess Open Source Software institute [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
