Re: [saag] Algorithms/modes requested by users/customers

[pgut001@cs.auckland.ac.nz (Peter Gutmann)]

"Santosh Chokhani" <SChokhani@cygnacom.com> writes:

>I do not think this is a forum for negotiations.

Absolutely, that's why I pointed out that I wasn't taking it as a price quote,
more to make a point.

>But, we will be happy to do FIPS testing for your product for Level 1 for
>quoted price.
>
>As to algorithms, all FIPS approved algorithms need to be tested.

And there's the rub, it's not just handing over $30K and getting back a
coloured certificate, you need to get the algorithms certified, prepare a ton
of paperwork, spend a considerable amount of time on this, and that's where
the $100K all-up figure comes from.  If I could simply hand over $30K and the
source code *with no further effort or expense on my behalf* I'd jump at the
chance.

Just to show that I'm not trying to pick on Cygnacom here I'll make this an
open offer to anyone:

  If I can hand you $30K and a copy of my source code and you can get me a
  FIPS 140 cert for it without me incurring any additional effort or expense,
  please get in touch.

>Have you yourself participated in a FIPS evaluation or have you looked at the
>NIST FIPS 140-2 DTR and FIPS 140-2 IG (i.e. Implementation Guidance)
>available on the Web?

Probably about half a dozen directly (+/- one or two, I haven't kept an exact
tally), and been involved indirectly in about a dozen more via discussions
with (and listening to complaining about :-) others going through the process.
(Again, YMMV, I haven't kept an exact tally on the latter, and in some cases
it was nothing more than "what did you guys do to get past ...?", and
sympathising with them over problems).

Peter.