Indeed. In the UK there was recently an issue of the security of cash-machines because of a bug in the implementation of a similarly certified protocol. It meant that you could potentially get card details by sniffing what went down the telephone lines. I haven't heard whether this has been resolved or not.
Of course, taking this to extremes many government agencies should therefore disconnect from the Internet. I think it's an issue that will keep cropping up until governments realise that security is something that you aim for, and not necessarily guaranteed by any particular certificate. John > -----Original Message----- > From: Andrew T. Finnell [mailto:[EMAIL PROTECTED]] > Sent: 25 July 2002 15:12 > To: [EMAIL PROTECTED] > Subject: RE: FIPS-140 certification > > > John, > > Sometimes that is not up to the developer. You state it like > someone has a choice of what they use. Most government > agency's disallow > any encryption that isn't FIPS certified. If they had a choice it > probably wouldn't be a question. :) > > - > Andrew T. Finnell > Active Solutions L.L.C > [EMAIL PROTECTED] > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Thursday, July 25, 2002 10:04 AM > > To: [EMAIL PROTECTED] > > Subject: RE: FIPS-140 certification > > > > > > Just to add my thoughts to the cooking pot, FIPS-140 probably > > isn't worth a string of beans. The actual encryption > > protocols used in openssl haven't changed in a long time, for > > example 3DES encryption is still 3DES encryption. Granted, > > newer one's have been added (rijndael for example), but on > > the whole protocols remain static. > > > > So if someone had obtained FIPS-140 certification for openssl > > 0.9.6d (for > > example) and a security bug was subsequently found in that > > software version, the fix for the bug would invalidate the > > certification. > > > > Which all boils down to a question of choice, do you prefer a > > certificate that says your software is safe even if it isn't > > to uncertified software which is worked on constantly to > > ensure it is as safe as possible? I know which I would choose. > > > > > > - > > John Airey > > Internet systems support officer, ITCSD, Royal National > > Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, > > Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 > > [EMAIL PROTECTED] > > > > Is the statement 'There is no such thing as truth' true? > > > > > > > -----Original Message----- > > > From: Ed Moyle [mailto:[EMAIL PROTECTED]] > > > Sent: 25 July 2002 14:47 > > > To: [EMAIL PROTECTED] > > > Subject: RE: FIPS-140 certification > > > > > > > > > On Wednesday, July 24, 2002 23:14, Bil Kleb wrote: > > > > > > Bil, > > > > > > > This may be a blasphemous question due to U.S. patent > issues, but > > > > has anyone figured out if Open-SSL is FIPS-140 certified/ > > > > certifiable? > > > > > > You and I are on the same page. NIST doesn't have a > > cert for OpenSSL > > > or SSLeay (bummer) and I've asked about this in the past. > > The problem > > > is the cost of certification as I understand it, plus the > "release > > > early release often" mantra doesn't lend well to NIST's > > perspective of > > > "everytime you change the crypto, you need to get it recertified." > > > > > > I've done some of the work of determining if the thing is > > > "certifiable" (meaning does it comply to the FIPS 140-2 > req's) and > > > from what I've seen, it seems to, but I haven't finished > > this effort. > > > I coded up the random # statistical tests that are > described in the > > > req, and they pass (I'll send this to you if you want it... > > just write > > > me off-list). Also, it supports ciphersuites that use only > > > NIST-approved algorithms. This is good news, but, of > course, what > > > matters is the cert, and there isn't one. > > > > > > So, I guess the upshot of the deal is that until > > somebody certifies > > > it, it can't be used for unclassified cryptography (strictly > > > speaking). If you want to go down a different route, you > > might want > > > to check out SSL/C from RSA. I don't know, since I haven't > > looked at > > > it, but since Eric Young had some involvement, the API > > might be close > > > to openssl since the historical roots are inter- twined, > > and most of > > > the B-Safe line is 140-1 certified (pretty sure about > this, but you > > > might want to check at NIST to be double-sure). > > > > > > Hope this helps, > > > -Ed > > > > > > > > > > > > ______________________________________________________________________ > > > OpenSSL Project > > http://www.openssl.org > > > User Support Mailing List > > [EMAIL PROTECTED] > > > Automated List Manager > > [EMAIL PROTECTED] > > > > > > > - > > > > NOTICE: The information contained in this email and any > > attachments is > > confidential and may be legally privileged. If you are not the > > intended recipient you are hereby notified that you must not use, > > disclose, distribute, copy, print or rely on this email's > content. If > > you are not the intended recipient, please notify the sender > > immediately and then delete the email and any attachments from your > > system. > > > > RNIB has made strenuous efforts to ensure that emails and any > > attachments generated by its staff are free from viruses. > However, it > > cannot accept any responsibility for any viruses which are > > transmitted. We therefore recommend you scan all attachments. > > > > Please note that the statements and views expressed in this email > > and any attachments are those of the author and do not necessarily > > represent those of RNIB. > > > > RNIB Registered Charity Number: 226227 > > > > Website: http://www.rnib.org.uk > > > ______________________________________________________________________ > > OpenSSL Project > http://www.openssl.org > > User Support Mailing List > [EMAIL PROTECTED] > > Automated List Manager > [EMAIL PROTECTED] > > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
