I see that FIPS140-2 states that the
certification is intended for sensitive, not classified information. Is it
possible for us to be certified for classified information, or is that certification
out of reach?
Ron
From:
cryptography-bounces@lists.squeakfoundation.org
[mailto:cryptography-bounces@lists.squeakfoundation.org] On Behalf Of Ron Teitelbaum
Sent: Tuesday, January 10, 2006
6:35 PM
To: 'Cryptography Team Development
List'
Subject: RE: [Cryptography Team] Squeak
Cryptography Team Code CommercialAcceptance
Matt,
Thanks for the information, I will review
the process. I would think we could come up with the money you suggested
to get certified.
So to update our goals:
5) Get external US Government
certification of Security for external package and image components.
Should be changed to:
5) Complete Cryptographic Module
Validation Program (CMVP) through the OpenSSL Federal Information Processing
Standard (FIPS) Certification Process.
5.1) Identify Experts in Group (recruit new members?)
5.2) Find repository and define structure for documentation.
5.3) Document current frameworks
5.4) Develop new designs, following design goals (tbd through open discussions)
and document new framework.
5.5) Expert Design Review and Implementation recursively until code complete
5.6) Identify Team Leaders to walk our project through OpenSSL FIPS Cert
Process
5.7) Raise Money for Cert Process
5.8) Complete Certification, Publicize results
5.9) Offer Reward for anyone that breaks code
5.10) Set up review committee that reviews implementations (for a fee) and
helps others get certified using our code.
Does anyone have any comments on the
change?
Ron Teitelbaum
Squeak Cryptography Team Leader
From:
cryptography-bounces@lists.squeakfoundation.org
[mailto:cryptography-bounces@lists.squeakfoundation.org] On Behalf Of Matthew S. Hamrick
Sent: Tuesday, January 10, 2006
4:22 PM
To:
Subject: Re: [Cryptography Team]
Squeak Cryptography Team Code CommercialAcceptance
On Jan 10, 2006, at 10:30 AM, Ron Teitelbaum wrote:
Does anyone have a suggestion for
how to certify our code?
In general... when talking about Security, you want to have the design
reviewed prior to having the code reviewed... but I guess we can be agile about
it. Maybe the thing to do would be to document what we have in terms of
architecture, find someone to do an independent review of the architecture,
incorporate architecture changes recommended by the reviewer, then make code
changes, then have the code reviewed.
The word "certify" has a lot of different meanings to
different people. If you're looking for FIPS certification, that's a long
process... and it costs money. The OpenSSL FIPS certification process has been
going on for at least a year or two with the bill being footed by OSSI, HP, DoD
and a couple other people whose names escape me at the moment.
The motivation there was that HP and DoD believed the certification was
an investment... pay a little up front so they can benefit from the cost
savings of using an open implementation of various crypto algorithms. The last
time I was involved in a CMVP effort, the total bill to the independent lab was
something on the order of about $12k US. With the recent devaluation of the US
peso, I'm guessing it would probably run at least $18k US these days.
I think it would
be helpful if what we have done
to prove our work (testing documentation
...), the qualifications of the person
writing the code, and any reference
materials were all kept in a
single place. It would be helpful as a
reference for others, and some
proof that may be needed before someone
considers adoption. What do you all think?
I definitely agree with this!