[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [saag] Algorithms/modes requested by users/customers

From: Paul Hoffman <paul.hoffman at vpnc.org>
To: "Santosh Chokhani" <SChokhani at cygnacom.com>, "Stephen Kent" <kent at bbn.com>
Cc: saag at mit.edu, Randall Atkinson <rja at extremenetworks.com>
Date: Tue, 19 Feb 2008 10:04:12 -0800
In-reply-to: <FAD1CF17F2A45B43ADE04E140BA83D483C4E93 at scygexch1.cygnacom.com>
References: <8329C86009B2F24493D76B486146769A9429B7A8 at USEXCHANGE.corp.extremenetworks. com> <p06240804c3de211f0592 at [10.20.30.162]><p06240504c3e09559649c at [192.168.0.10 2]> <p06240804c3e0ad5d1fa4 at [10.20.30.152]> <FAD1CF17F2A45B43ADE04E140BA83D483C4E93 at scygexch1.cygnacom.com>

At 11:49 AM -0500 2/19/08, Santosh Chokhani wrote:

On the issue of restart, that is misunderstanding on Paul's part.  There
is no restart.

Ahem. I am reporting what the members of VPNC report to me. They arethe vendors in the testing, not me. I have heard this from multiplevendors. If I was not clear that I was reporting what others said, Iapologize.

Generally, problem is fixed and you pick up that point.

Not to be too picky, but how can you say "generally" without seeingevery test that was stopped? Maybe you have not had this problem, butothers say they have.

Subjective tests seems to be misunderstanding on Paul's part.  Having
been in the Orange Book, CC and FIPS process, I as validator, tester,
and certifier as well as vendor generally rue about rigidness of the
standard and lack of subjective judgment on the part of the tester or
lack of subjective latitude to vendors.

If you, as a tester, feel that there are no subjective parts of thetest process, that's fine. Some/many people who are being testeddisagree with you.

FIPS 140 has specific guidelines on how to deal with minor incremental
changes that helps reduce cost and calendar time.

Great! It does not seem to have gotten through to the vendorsthemselves as "inexpensive enough" or "fast enough". As a tester, youmay have a different view.

The standard is NOT a protocol standard.  It does verify the algorithm
implementations and thus, FIPS validated algorithms can interoperate.


Quite true.

In terms of low end devices, 20-30K for level 1 testing amortized over
devices does not seem too onerous.

...to you. Others disagree, both on the financial cost, andparticularly on the cost of elapsed time before customers can use thelatest release from a vendor.

I do not understand what Paul refers to as silly modes.  The module
being FIPS validated must use FIPS validated or recognized algorithms
for a given crypto service.  That seems like a good thing to me.

That is a good thing; it is also not what I was talking about. Thereis disagreement about what needs to be in a "FIPS mode", and whetherthe shipped product needs to allow "FIPS mode" to be enabled, and ifso, how.

Again: I am reporting what I hear from many VPNC members over manyyears. You as a single vendor and/or tester might feel differently;your feeling does not invalidate the views of others.


--Paul Hoffman, Director
--VPN Consortium

Follow-Ups:
- Re: [saag] Algorithms/modes requested by users/customers
  - From: Santosh Chokhani

References:
- Re: [saag] Algorithms/modes requested by users/customers
  - From: Paul Hoffman
- Re: [saag] Algorithms/modes requested by users/customers
  - From: Paul Hoffman
- Re: [saag] Algorithms/modes requested by users/customers
  - From: Santosh Chokhani

Prev by Date: Re: [saag] Algorithms/modes requested by users/customers
Next by Date: Re: [saag] Algorithms/modes requested by users/customers
Previous by thread: Re: [saag] Algorithms/modes requested by users/customers
Next by thread: Re: [saag] Algorithms/modes requested by users/customers
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.