Re: [saag] Algorithms/modes requested by users/customers

[Randall Atkinson <rja@extremenetworks.com>]

Earlier, Peter Gutmann wrote:
% Politician's Fallacy again: Is FIPS 140 really the best way to spend your
% money?

If someone has a better proposal, I am very sure that there is a large
audience that would love to hear it. (More on this at bottom)

% If FIPS 140 is the answer now, why wasn't the Orange Book
% the answer then?

You are comparing apples to oranges above.

FIPS-140 is only about assurance for cryptographic modules.
Orange Book (TCSEC) was only about operating system security.

The two address different issues.

% What about giving the money to (picking a random name) Cigital and
% saying "make sure this code is OK"?

One needs a process that is as consistent and reproducible as practical
-- no human process could ever be 100% consistent and reprodcible --
otherwise implementers will legitimately complain about a non-level
playing field.  Or were you proposing to setup a monopoly ?

FIPS-140 has multiple certification labs in multiple countries evaluating
products -- to avoid creating a monopoly.  This HAS driven the evaluation
costs downwards over time, and it permits implementers the choice
to trade more money for less evaluation time.

I don't think anyone has claimed FIPS-140 is perfect.  The claims (not by
me so much as by other folks on the SAAG list) have been that (1) FIPS-140
 is better than other extant security evaluations and that (2) so far
no serious alternative proposal that looks reasonably better has appeared.

If you think that FIPS-140-* is a target-rich environment, then please
try to seriously propose something better.  I understand NIST and its
partners are looking to evolve into FIPS 140-3 from FIPS 140-2.

Have you sent them any concrete suggestions for improvement ?
I know the folks at NIST are happy to listen to any serious inputs
or proposals.

Cheers,

Ran