Re: [saag] Algorithms/modes requested by users/customers
Stephen Kent <kent@bbn.com> Tue, 19 February 2008 15:16 UTC
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m1JFGAv6006937 for <saag@PCH.mit.edu>; Tue, 19 Feb 2008 10:16:10 -0500
Received: from mit.edu (W92-130-BARRACUDA-2.MIT.EDU [18.7.21.223]) by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id m1JFG2hn016246 for <saag@mit.edu>; Tue, 19 Feb 2008 10:16:03 -0500 (EST)
Received: from mx11.bbn.com (mx11.bbn.com [128.33.0.80]) by mit.edu (Spam Firewall) with ESMTP id 776AACCF438 for <saag@mit.edu>; Tue, 19 Feb 2008 10:15:41 -0500 (EST)
Received: from dhcp89-089-071.bbn.com ([128.89.89.71]) by mx11.bbn.com with esmtp (Exim 4.60) (envelope-from <kent@bbn.com>) id 1JRUC4-0002Ch-5y; Tue, 19 Feb 2008 10:15:41 -0500
Mime-Version: 1.0
Message-Id: <p06240504c3e09559649c@[192.168.0.102]>
In-Reply-To: <p06240804c3de211f0592@[10.20.30.162]>
References: <8329C86009B2F24493D76B486146769A9429B7A8@USEXCHANGE.corp.extremenetworks. com> <p06240804c3de211f0592@[10.20.30.162]>
Date: Tue, 19 Feb 2008 10:15:42 -0500
To: Paul Hoffman <paul.hoffman@vpnc.org>
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
Cc: "saag@mit.edu" <saag@mit.edu>, Randall Atkinson <rja@extremenetworks.com>
Subject: Re: [saag] Algorithms/modes requested by users/customers
X-BeenThere: saag@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: IETF Security Area Advisory Group <saag.mit.edu>
List-Unsubscribe: <http://mailman.mit.edu/mailman/listinfo/saag>, <mailto:saag-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/saag>
List-Post: <mailto:saag@mit.edu>
List-Help: <mailto:saag-request@mit.edu?subject=help>
List-Subscribe: <http://mailman.mit.edu/mailman/listinfo/saag>, <mailto:saag-request@mit.edu?subject=subscribe>
X-List-Received-Date: Tue, 19 Feb 2008 15:16:10 -0000
At 9:47 AM -0800 2/17/08, Paul Hoffman wrote: >... >>This seems to be driven externally by insurance firms that tell >>their customers to only use equipment whose cryptographic >>subsystems/modules have been (or are going to be) evaluated >>formally under FIPS-140. > >That is unreasonable. The ratio of "number of systems that use >crypto" to "number of systems that have been or are going to be >evaluated formally under FIPS-140" is incredibly high. The FIPS 140 >evaluation process is horribly broken on a number of axes, and all >the vendors in the field know it and complain privately about it. > >If you had instead said "have been (or at least could be) evaluated", >I would agree with you. Buyers want to know that, if pressed hard, >they can say "well, it is like that other system over there that got >certified", and to do that, the uncertified system has to at least >support all the right crypto. There is a noticeable but >non-quantifiable preference for systems with a FIPS 140 certificate, >but (outside the USGovt, of course) nearly no hard demand. Paul, Can you share the reasons cited by vendors to support the notion that the FIPS 140 process is broken. Compared to other security evaluation criteria, e.g. CC or the old Organge Book, most security folks I know view the FIPS 140 evaluation program as well managed and not very onerous. Also, if buyers believe that a device that "could be evaluated" is good enough, they are being rather naive. Experience with the FIPS 140 program has shown that a significant fraction of of products submitted for evaluation fail the process. Presumably a vendor submitting a product for evaluation believes that the product is ready, and will pass, otherwise the vendor is wasting money on the evaluation effort. The fact that many products fail evaluation (for good security reasons), tells me that a vendor's claim that a product "could be evaluated" is not much of an assurance. Steve
- [saag] Algorithms/modes requested by users/custom… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Paul Hoffman
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Stephen Kent
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Paul Hoffman
- Re: [saag] Algorithms/modes requested by users/cu… Paul Hoffman
- Re: [saag] Algorithms/modes requested by users/cu… Jack Lloyd
- Re: [saag] Algorithms/modes requested by users/cu… Paul Hoffman
- Re: [saag] Algorithms/modes requested by users/cu… mcgrew
- Re: [saag] Algorithms/modes requested by users/cu… Stephen Kent
- Re: [saag] Algorithms/modes requested by users/cu… Jon Callas
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Steven M. Bellovin
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Jon Callas
- Re: [saag] Algorithms/modes requested by users/cu… Stephen Kent
- Re: [saag] Algorithms/modes requested by users/cu… mcgrew
- Re: [saag] Algorithms/modes requested by users/cu… Vishwas Manral
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Stephen Kent
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Ben Laurie
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani