[148358] in cryptography@c2.net mail archive
[Cryptography] The lie of FIPS
daemon@ATHENA.MIT.EDU (Richard Outerbridge)
Wed Dec 4 19:02:45 2013
X-Original-To: cryptography@metzdowd.com
From: Richard Outerbridge <outer@interlog.com>
In-Reply-To: <AAE32A1E-45D2-4B41-9C9F-27DF98904F12@seiden.com>
Date: Wed, 4 Dec 2013 18:55:49 -0500
To: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Cc: Phillip Hallam-Baker <hallam@gmail.com>, Mark Seiden <mis@seiden.com>,
Hannes Frederic Sowa <hannes@stressinduktion.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 2013-12-04 (338), at 17:49:51, Mark Seiden <mis@seiden.com> wrote:
[=85.]
> the device could comply with fips 140 level 4, if only anyone were willin=
g to pay the $200k in certification
> costs for a device that costs $50 in parts cost to make...
The last time I checked FIPS certification of Banking HSMs (Hardware Securi=
ty Modules) _only_ covered the loading
of vendor certified software into the module. In other words, the HSM was =
only certified to be able to securely
load vendor certified software. There was no implicit or explicit guarante=
e that the thereupon loaded software
could be relied upon to operate securely.
__outer
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
