[Cryptography Team] Todays Meeting update
Cerebus
cerebus2 at gmail.com
Fri Dec 1 05:00:50 UTC 2006
On 11/30/06, Ron Teitelbaum <Ron at usmedrec.com> wrote:
> We may want to review openSSL and integrate that or NSS into squeak for
> people that have to have an FIPS validated system. This would remove our
> need to be validated, and shift our job to interpreting and implementing
> external modules properly.
Personally I prefer NSS over OpenSSL. OpenSSL's FIPS status is still
sorta in question (Why does the cryptval list still say "Not
Available"?). NSS has better certificate management features. In
addition, I've found it easier to get RedHat to address bugs &
features in NSS than it is to get active OpenSSL developers fired up
to fix things.
> It seems to me that there is little use for us to proceed with CC. CC is
> more like a system evaluation. They even call it a system evaluation. The
> evaluation has different levels we would probably want 2 or 3 but in order
> to have something to validate we would actually need to write a system.
You get EAL2 just for showing up at the meetings is what I hear. :)
> I'm told that if we want to do CC then we should look into foreign labs
> since CC is international and a validation from say the EU would be valid in
> the US. Apparently Oracle saved a bundle doing this.
I'm given to understand that the US CC evaluators are backed up into
the next decade as well. CC validation takes forever. It takes
longer to get a PP approved (SLOSPP-MR took years, frex.).
-- Tim
More information about the Cryptography
mailing list