Jerrold Leichter [EMAIL PROTECTED] writes:
There was also an effort in England that produced a verified chip. Quite
impressive, actually - but I don't know if anyone actually wanted the chip
they (designed and) verified.
The Viper. Because it needed to be formally verifiable, they had to leave
Anton Stiglic [EMAIL PROTECTED] writes:
But the problem is how can people who know nothing about security evaluate
which vendor is most committed to security? For the moment, FIPS 140 and CC
type certifications seem to be the only means for these people...
Yeah, it's largely a case of looking
- Original Message -
From: Ian Grigg [EMAIL PROTECTED]
Sent: Saturday, October 11, 2003 1:22 PM
Subject: Re: NCipher Takes Hardware Security To Network Level
Is there any reason to believe that people who
know nothing about security can actually evaluate
questions about security
- Original Message -
From: Peter Gutmann [EMAIL PROTECTED]
[...]
The problem is
that what we really need to be able to evaluate is how committed a vendor
is
to creating a truly secure product.
[...]
I agree 100% with what you said. Your 3 group classification seems
accurate.
But
Anton Stiglic wrote:
- Original Message -
From: Peter Gutmann [EMAIL PROTECTED]
[...]
The problem is
that what we really need to be able to evaluate is how committed a vendor
is
to creating a truly secure product.
[...]
I agree 100% with what you said. Your 3 group
I wrote:
Peter (I define myself to be A BIT CYNICAL about all this).
Since it could appear that I'm gratuitously bashing FIPS 140 (or certification
processes in general) here, I should clarify: As with all attempts at one-
size-fits-all solutions, one size doesn't quite fit all. You can break
I was asked by someone to anonymously forward the following reply to
Joshua Hill to the list. (Second time in a week, and on the same topic!)
If you reply, please don't put my name in the reply -- this isn't my
comment.
--
- Original Message -
From: Peter Gutmann [EMAIL PROTECTED]
[...]
If you think that's scary, look at Microsoft's CryptoAPI for Windows XP
FIPS
140 certification. As with physical security certifications like BS 7799,
you
start by defining your security perimeter, defining everything
Anton Stiglic [EMAIL PROTECTED] writes:
This is why you get requirements of the type that it should run on Windows in
single-user mode, which I take to mean have only an admin account. This
prevents privilege escalation attacks (regular user to root) that are easily
done.
I think this is
- Original Message -
From: Peter Gutmann [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Tuesday, October 07, 2003 11:07 AM
Subject: Re: NCipher Takes Hardware Security To Network Level
Anton Stiglic [EMAIL PROTECTED] writes:
This is why you get requirements
http://www.crn.com/Components/printArticle.asp?ArticleID=44909
CRN --
Print This Article
NCipher Takes Hardware Security To Network Level
By
Charlene O'Hanlon
CRN
9:35 AM EST Mon., Oct. 06, 2003
NCipher Monday
unveiled a network-level version of its nShield Hardware Security Module
--- begin forwarded text
Status: U
Date: Mon, 06 Oct 2003 12:40:41 -0400
From: Somebody
To: R. A. Hettinga [EMAIL PROTECTED]
Subject: Re: NCipher Takes Hardware Security To Network Level
Don't identify me, since I'm not sure what parts of my NDA are still in
force now that they've announced
In fact, if you're clever, you can manage to not trouble yourself to get
the key-management, etc. certified, getting only the simple, symmetric-cipher
stuff run through the process.
You can, but that doesn't mean that it's ok.
Key management is explicitly covered under FIPS 140-2. If you
13 matches
Mail list logo
