Tim could you explain this in more detail?
You get EAL2 just for showing up at the meetings is what I hear. :)
Thanks,
Ron
-----Original Message----- From: cryptography-bounces@lists.squeakfoundation.org [mailto:cryptography-bounces@lists.squeakfoundation.org] On Behalf Of Cerebus Sent: Friday, December 01, 2006 12:01 AM To: Ron@usmedrec.com; Cryptography Team Development List Subject: Re: [Cryptography Team] Todays Meeting update
On 11/30/06, Ron Teitelbaum Ron@usmedrec.com wrote:
We may want to review openSSL and integrate that or NSS into squeak for people that have to have an FIPS validated system. This would remove
our
need to be validated, and shift our job to interpreting and implementing external modules properly.
Personally I prefer NSS over OpenSSL. OpenSSL's FIPS status is still sorta in question (Why does the cryptval list still say "Not Available"?). NSS has better certificate management features. In addition, I've found it easier to get RedHat to address bugs & features in NSS than it is to get active OpenSSL developers fired up to fix things.
It seems to me that there is little use for us to proceed with CC. CC
is
more like a system evaluation. They even call it a system evaluation.
The
evaluation has different levels we would probably want 2 or 3 but in
order
to have something to validate we would actually need to write a system.
You get EAL2 just for showing up at the meetings is what I hear. :)
I'm told that if we want to do CC then we should look into foreign labs since CC is international and a validation from say the EU would be
valid in
the US. Apparently Oracle saved a bundle doing this.
I'm given to understand that the US CC evaluators are backed up into the next decade as well. CC validation takes forever. It takes longer to get a PP approved (SLOSPP-MR took years, frex.).
-- Tim _______________________________________________ Cryptography mailing list Cryptography@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography