[Cryptography Team] Squeak Cryptography Team Code Commercial Acceptance

Ron Teitelbaum Ron at USMedRec.com
Wed Jan 11 00:35:07 CET 2006 

Matt,

 

Thanks for the information, I will review the process.  I would think we
could come up with the money you suggested to get certified.

 

So to update our goals: 

 

5) Get external US Government certification of Security for external package
and image components.

 

Should be changed to:

 

5) Complete Cryptographic Module Validation Program (CMVP) through the
OpenSSL Federal Information Processing Standard (FIPS) Certification
Process.

            5.1) Identify Experts in Group (recruit new members?)

            5.2) Find repository and define structure for documentation.

            5.3) Document current frameworks

            5.4) Develop new designs, following design goals (tbd through
open discussions) and document new framework.

            5.5) Expert Design Review and Implementation recursively until
code complete 

            5.6) Identify Team Leaders to walk our project through OpenSSL
FIPS Cert Process

            5.7) Raise Money for Cert Process

            5.8) Complete Certification, Publicize results

            5.9) Offer Reward for anyone that breaks code

            5.10) Set up review committee that reviews implementations (for
a fee) and helps others get certified using our code. 

 

Does anyone have any comments on the change?

 

Ron Teitelbaum

Squeak Cryptography Team Leader

Ron at USMedRec.com 

 

  _____  

From: cryptography-bounces at lists.squeakfoundation.org
[mailto:cryptography-bounces at lists.squeakfoundation.org] On Behalf Of
Matthew S. Hamrick
Sent: Tuesday, January 10, 2006 4:22 PM
To: Ron at USMedRec.com; Cryptography Team Development List
Subject: Re: [Cryptography Team] Squeak Cryptography Team Code
CommercialAcceptance

 

 

On Jan 10, 2006, at 10:30 AM, Ron Teitelbaum wrote:





Does anyone have a suggestion for how to certify our code? 

 

In general... when talking about Security, you want to have the design
reviewed prior to having the code reviewed... but I guess we can be agile
about it. Maybe the thing to do would be to document what we have in terms
of architecture, find someone to do an independent review of the
architecture, incorporate architecture changes recommended by the reviewer,
then make code changes, then have the code reviewed.

 

The word "certify" has a lot of different meanings to different people. If
you're looking for FIPS certification, that's a long process... and it costs
money. The OpenSSL FIPS certification process has been going on for at least
a year or two with the bill being footed by OSSI, HP, DoD and a couple other
people whose names escape me at the moment.

 

The motivation there was that HP and DoD believed the certification was an
investment... pay a little up front so they can benefit from the cost
savings of using an open implementation of various crypto algorithms. The
last time I was involved in a CMVP effort, the total bill to the independent
lab was something on the order of about $12k US. With the recent devaluation
of the US peso, I'm guessing it would probably run at least $18k US these
days.





I think it would

be helpful if what we have done to prove our work (testing documentation

...), the qualifications of the person writing the code, and any reference

materials were all kept in a single place. It would be helpful as a

reference for others, and some proof that may be needed before someone

considers adoption. What do you all think?

 

I definitely agree with this!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://liststest.squeakfoundation.org/pipermail/cryptography/attachments/20060110/326da56e/attachment.html

More information about the Cryptography mailing list