[Cryptography Team] Squeak Cryptography Team Code
CommercialAcceptance
Matthew S. Hamrick
mhamrick at cryptonomicon.net
Thu Jan 12 17:59:39 CET 2006
Yes... that certification is out of reach. It is generally believed
that one must possess a clearance even to be told the details of
algorithms algorithms used at that level. So... in general... these
people have a general aversion to open source crypto.
The other thing to consider talking about is other types of
certifications / validations. FIPS140-2 (and be careful not to call
it FIPS 140, level 2, that's something completely different)
certifies your crypto and only your crypto. There's no discussion
about more general "security" features. Common Criteria continues to
be simultaneously gain traction in the federal government and cause
federal IT managers to pull their hair out. I don't believe there's a
Common Criteria Protection Profile for virtual machines, but it would
make a very interesting problem / project (speaking as someone who
would love to receive funding to develop such a profile.)
On Jan 11, 2006, at 10:57 AM, Ron Teitelbaum wrote:
> I see that FIPS140-2 states that the certification is intended for
> sensitive, not classified information. Is it possible for us to be
> certified for classified information, or is that certification out
> of reach?
>
>
>
> Ron
>
> From: cryptography-bounces at lists.squeakfoundation.org
> [mailto:cryptography-bounces at lists.squeakfoundation.org] On Behalf
> Of Ron Teitelbaum
> Sent: Tuesday, January 10, 2006 6:35 PM
> To: 'Cryptography Team Development List'
> Subject: RE: [Cryptography Team] Squeak Cryptography Team Code
> CommercialAcceptance
>
>
>
> Matt,
>
>
>
> Thanks for the information, I will review the process. I would
> think we could come up with the money you suggested to get certified.
>
>
>
> So to update our goals:
>
>
>
> 5) Get external US Government certification of Security for
> external package and image components.
>
>
>
> Should be changed to:
>
>
>
> 5) Complete Cryptographic Module Validation Program (CMVP) through
> the OpenSSL Federal Information Processing Standard (FIPS)
> Certification Process.
>
> 5.1) Identify Experts in Group (recruit new members?)
>
> 5.2) Find repository and define structure for
> documentation.
>
> 5.3) Document current frameworks
>
> 5.4) Develop new designs, following design goals (tbd
> through open discussions) and document new framework.
>
> 5.5) Expert Design Review and Implementation
> recursively until code complete
>
> 5.6) Identify Team Leaders to walk our project through
> OpenSSL FIPS Cert Process
>
> 5.7) Raise Money for Cert Process
>
> 5.8) Complete Certification, Publicize results
>
> 5.9) Offer Reward for anyone that breaks code
>
> 5.10) Set up review committee that reviews
> implementations (for a fee) and helps others get certified using
> our code.
>
>
>
> Does anyone have any comments on the change?
>
>
>
> Ron Teitelbaum
>
> Squeak Cryptography Team Leader
>
> Ron at USMedRec.com
>
>
>
> From: cryptography-bounces at lists.squeakfoundation.org
> [mailto:cryptography-bounces at lists.squeakfoundation.org] On Behalf
> Of Matthew S. Hamrick
> Sent: Tuesday, January 10, 2006 4:22 PM
> To: Ron at USMedRec.com; Cryptography Team Development List
> Subject: Re: [Cryptography Team] Squeak Cryptography Team Code
> CommercialAcceptance
>
>
>
>
>
> On Jan 10, 2006, at 10:30 AM, Ron Teitelbaum wrote:
>
>
>
> Does anyone have a suggestion for how to certify our code?
>
>
> In general... when talking about Security, you want to have the
> design reviewed prior to having the code reviewed... but I guess we
> can be agile about it. Maybe the thing to do would be to document
> what we have in terms of architecture, find someone to do an
> independent review of the architecture, incorporate architecture
> changes recommended by the reviewer, then make code changes, then
> have the code reviewed.
>
>
>
> The word "certify" has a lot of different meanings to different
> people. If you're looking for FIPS certification, that's a long
> process... and it costs money. The OpenSSL FIPS certification
> process has been going on for at least a year or two with the bill
> being footed by OSSI, HP, DoD and a couple other people whose names
> escape me at the moment.
>
>
>
> The motivation there was that HP and DoD believed the certification
> was an investment... pay a little up front so they can benefit from
> the cost savings of using an open implementation of various crypto
> algorithms. The last time I was involved in a CMVP effort, the
> total bill to the independent lab was something on the order of
> about $12k US. With the recent devaluation of the US peso, I'm
> guessing it would probably run at least $18k US these days.
>
>
>
> I think it would
> be helpful if what we have done to prove our work (testing
> documentation
> ...), the qualifications of the person writing the code, and any
> reference
> materials were all kept in a single place. It would be helpful as a
> reference for others, and some proof that may be needed before someone
> considers adoption. What do you all think?
>
>
> I definitely agree with this!
>
> _______________________________________________
> Cryptography mailing list
> Cryptography at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://liststest.squeakfoundation.org/pipermail/cryptography/attachments/20060112/0414dc22/attachment.htm
More information about the Cryptography
mailing list