Re: NCipher Takes Hardware Security To Network Level

2003-10-16 Thread Peter Gutmann
Jerrold Leichter [EMAIL PROTECTED] writes: There was also an effort in England that produced a verified chip. Quite impressive, actually - but I don't know if anyone actually wanted the chip they (designed and) verified. The Viper. Because it needed to be formally verifiable, they had to leave

Re: NCipher Takes Hardware Security To Network Level

2003-10-15 Thread Anton Stiglic
- Original Message - From: Ian Grigg [EMAIL PROTECTED] * In contrast, someone who knows little about cars, can objectively evaluate a car. They can take it for a test drive and see if it feels right. Using it is proving it. I'm not totally convinced of this... Someone with

Re: NCipher Takes Hardware Security To Network Level

2003-10-13 Thread Peter Gutmann
Anton Stiglic [EMAIL PROTECTED] writes: But the problem is how can people who know nothing about security evaluate which vendor is most committed to security? For the moment, FIPS 140 and CC type certifications seem to be the only means for these people... Yeah, it's largely a case of looking

Re: NCipher Takes Hardware Security To Network Level

2003-10-13 Thread Anne Lynn Wheeler
At 10:22 PM 10/13/2003 +1300, Peter Gutmann wrote: So why is this stuff still present in the very latest certification requirements? Because we're measuring what we know how to measure, whether it makes sense to evaluate security in that way or not. This is probably why penetrate-and-patch is

Re: NCipher Takes Hardware Security To Network Level

2003-10-13 Thread Joseph Ashwood
- Original Message - From: Ian Grigg [EMAIL PROTECTED] Sent: Saturday, October 11, 2003 1:22 PM Subject: Re: NCipher Takes Hardware Security To Network Level Is there any reason to believe that people who know nothing about security can actually evaluate questions about security

Re: NCipher Takes Hardware Security To Network Level

2003-10-11 Thread Anton Stiglic
- Original Message - From: Peter Gutmann [EMAIL PROTECTED] [...] The problem is that what we really need to be able to evaluate is how committed a vendor is to creating a truly secure product. [...] I agree 100% with what you said. Your 3 group classification seems accurate. But

Re: NCipher Takes Hardware Security To Network Level

2003-10-11 Thread Ian Grigg
Anton Stiglic wrote: - Original Message - From: Peter Gutmann [EMAIL PROTECTED] [...] The problem is that what we really need to be able to evaluate is how committed a vendor is to creating a truly secure product. [...] I agree 100% with what you said. Your 3 group

Re: NCipher Takes Hardware Security To Network Level

2003-10-08 Thread Peter Gutmann
I wrote: Peter (I define myself to be A BIT CYNICAL about all this). Since it could appear that I'm gratuitously bashing FIPS 140 (or certification processes in general) here, I should clarify: As with all attempts at one- size-fits-all solutions, one size doesn't quite fit all. You can break

Re: NCipher Takes Hardware Security To Network Level

2003-10-07 Thread Perry E. Metzger
I was asked by someone to anonymously forward the following reply to Joshua Hill to the list. (Second time in a week, and on the same topic!) If you reply, please don't put my name in the reply -- this isn't my comment. --

Re: NCipher Takes Hardware Security To Network Level

2003-10-07 Thread Anton Stiglic
- Original Message - From: Peter Gutmann [EMAIL PROTECTED] [...] If you think that's scary, look at Microsoft's CryptoAPI for Windows XP FIPS 140 certification. As with physical security certifications like BS 7799, you start by defining your security perimeter, defining everything

Re: NCipher Takes Hardware Security To Network Level

2003-10-07 Thread Peter Gutmann
Anton Stiglic [EMAIL PROTECTED] writes: This is why you get requirements of the type that it should run on Windows in single-user mode, which I take to mean have only an admin account. This prevents privilege escalation attacks (regular user to root) that are easily done. I think this is

Re: NCipher Takes Hardware Security To Network Level

2003-10-07 Thread Anton Stiglic
- Original Message - From: Peter Gutmann [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 11:07 AM Subject: Re: NCipher Takes Hardware Security To Network Level Anton Stiglic [EMAIL PROTECTED] writes: This is why you get requirements

NCipher Takes Hardware Security To Network Level

2003-10-06 Thread R. A. Hettinga
http://www.crn.com/Components/printArticle.asp?ArticleID=44909 CRN -- Print This Article NCipher Takes Hardware Security To Network Level By Charlene O'Hanlon CRN 9:35 AM EST Mon., Oct. 06, 2003 NCipher Monday unveiled a network-level version of its nShield Hardware Security Module

Re: NCipher Takes Hardware Security To Network Level

2003-10-06 Thread R. A. Hettinga
--- begin forwarded text Status: U Date: Mon, 06 Oct 2003 12:40:41 -0400 From: Somebody To: R. A. Hettinga [EMAIL PROTECTED] Subject: Re: NCipher Takes Hardware Security To Network Level Don't identify me, since I'm not sure what parts of my NDA are still in force now that they've announced

Re: NCipher Takes Hardware Security To Network Level

2003-10-06 Thread Joshua Hill
In fact, if you're clever, you can manage to not trouble yourself to get the key-management, etc. certified, getting only the simple, symmetric-cipher stuff run through the process. You can, but that doesn't mean that it's ok. Key management is explicitly covered under FIPS 140-2. If you