Hi Peter, On 2/20/08 3:36 AM, "Peter Gutmann" <pgut001 at cs.auckland.ac.nz> wrote: > mcgrew <mcgrew at cisco.com> writes: > >> Winston Churchill said that democracy is the worst form of government, except >> for all of the others. I think that the same is true for the FIPS-140 >> cryptomodule validation process ;-) > > I think it's more a case of the Politician's Fallacy: > > 1. Something must be done. > 2. This is something. > 3. This must be done. > I like that. > It'd be interesting to see a study of the effectiveness in terms of finding > security and interop problems of: > > A. A FIPS 140 eval. > > B. Running the code through Fortify/Coverity/whatever and completing a crypto > exchange with a peer (TLS, S/MIME, PGP, whatever the underlying crypto is > that's being used). > > in particular in terms of return for effort-involved. > > Peter. I share you interest in the automation of validation testing; the more that can be automated, the better. It would be great to see more work in this area. David
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.