[Cryptography Team] Squeak Cryptography Team Code Commercial
Acceptance
Matthew S. Hamrick
mhamrick at cryptonomicon.net
Tue Jan 10 22:21:54 CET 2006
On Jan 10, 2006, at 10:30 AM, Ron Teitelbaum wrote:
> Does anyone have a suggestion for how to certify our code?
In general... when talking about Security, you want to have the
design reviewed prior to having the code reviewed... but I guess we
can be agile about it. Maybe the thing to do would be to document
what we have in terms of architecture, find someone to do an
independent review of the architecture, incorporate architecture
changes recommended by the reviewer, then make code changes, then
have the code reviewed.
The word "certify" has a lot of different meanings to different
people. If you're looking for FIPS certification, that's a long
process... and it costs money. The OpenSSL FIPS certification process
has been going on for at least a year or two with the bill being
footed by OSSI, HP, DoD and a couple other people whose names escape
me at the moment.
The motivation there was that HP and DoD believed the certification
was an investment... pay a little up front so they can benefit from
the cost savings of using an open implementation of various crypto
algorithms. The last time I was involved in a CMVP effort, the total
bill to the independent lab was something on the order of about $12k
US. With the recent devaluation of the US peso, I'm guessing it would
probably run at least $18k US these days.
> I think it would
> be helpful if what we have done to prove our work (testing
> documentation
> ...), the qualifications of the person writing the code, and any
> reference
> materials were all kept in a single place. It would be helpful as a
> reference for others, and some proof that may be needed before someone
> considers adoption. What do you all think?
I definitely agree with this!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://liststest.squeakfoundation.org/pipermail/cryptography/attachments/20060110/2cff0589/attachment.html
More information about the Cryptography
mailing list