[Cryptography Team] ECC and/or NSA Suite B?
Matthew S. Hamrick
mhamrick at cryptonomicon.net
Fri Nov 24 20:13:09 UTC 2006
On Nov 24, 2006, at 11:42 AM, Cerebus wrote:
> On 11/24/06, Matthew S. Hamrick <mhamrick at cryptonomicon.net> wrote:
>
>> With all the discussion of FIPS 140, I had assumed that most everyone
>> on the list is working on government contracts. Otherwise, why bother
>> with it?
>
> Because it enables its use in products. Without a FIPS certificate, a
> crypto implementation faces serious hurdles for inclusion in a product
> (and lately DoD has been cracking down on FIPS waivers). But it's
> hard to get people to pony up to pay for certification unless there's
> an immediate use. Chicken, meet egg. :)
>
Um... what products? For new products, the US DoD now requires Suite
B, not FIPS 140 for SBU.
You'll occasionally find a commercial interest like a bank or Fortune
500 that lists FIPS-140 as a requirement, but I've found that in the
banking industry, other standards X.<whatever> are more important and
in the Credit Card world PCI is WAAAY more important (of course PCI
doesn't currently list "approved" ciphers, so I can understand why
FIPS-140 is popular as a safe harbor.
More information about the Cryptography
mailing list