[14543] in cryptography@c2.net mail archive
Re: NCipher Takes Hardware Security To Network Level
daemon@ATHENA.MIT.EDU (Joshua Hill)
Mon Oct 6 20:33:14 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 6 Oct 2003 17:10:53 -0700
From: Joshua Hill <josh-lists@untruth.org>
To: cryptography@metzdowd.com
In-Reply-To: <87brsuku89.fsf@snark.piermont.com>; from perry@piermont.com on Mon, Oct 06, 2003 at 04:05:10PM -0400
> In fact, if you're clever, you can manage to not trouble yourself to get
> the key-management, etc. certified, getting only the simple, symmetric-cipher
> stuff run through the process.
You can, but that doesn't mean that it's ok.
Key management is explicitly covered under FIPS 140-2. If you have an
underlying FIPS 140-2 module doing the basic low level crypto, and then
have (crypto based) key management performed outside the module boundary,
the larger system is not a FIPS 140-2 module, FIPS 140-2 compliant, or
appropriate for the protection of sensitive but unclassified information
within a federal agency without a separate FIPS 140-2 validation of the
larger module.
> The government will still buy your "encryption devices" (FIPS-140
> certified)
That will greatly depend on the sophistication of the agency concerned.
The US Forest Service (for example) may not have the level understanding
of the FIPS 140-2 standard that the US Navy has.
Josh
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
