[Cryptography Team] Squeak Cryptography Team Code Commercial Acceptance

[Matthew S. Hamrick]

On Jan 10, 2006, at 10:30 AM, Ron Teitelbaum wrote:

> Does anyone have a suggestion for how to certify our code?

In general... when talking about Security, you want to have the  
design reviewed prior to having the code reviewed... but I guess we  
can be agile about it. Maybe the thing to do would be to document  
what we have in terms of architecture, find someone to do an  
independent review of the architecture, incorporate architecture  
changes recommended by the reviewer, then make code changes, then  
have the code reviewed.

The word "certify" has a lot of different meanings to different  
people. If you're looking for FIPS certification, that's a long  
process... and it costs money. The OpenSSL FIPS certification process  
has been going on for at least a year or two with the bill being  
footed by OSSI, HP, DoD and a couple other people whose names escape  
me at the moment.

The motivation there was that HP and DoD believed the certification  
was an investment... pay a little up front so they can benefit from  
the cost savings of using an open implementation of various crypto  
algorithms. The last time I was involved in a CMVP effort, the total  
bill to the independent lab was something on the order of about $12k  
US. With the recent devaluation of the US peso, I'm guessing it would  
probably run at least $18k US these days.

> I think it would
> be helpful if what we have done to prove our work (testing  
> documentation
> ...), the qualifications of the person writing the code, and any  
> reference
> materials were all kept in a single place.  It would be helpful as a
> reference for others, and some proof that may be needed before someone
> considers adoption.  What do you all think?

I definitely agree with this!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://liststest.squeakfoundation.org/pipermail/cryptography/attachments/20060110/2cff0589/attachment.html