[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [saag] Algorithms/modes requested by users/customers

From: "Santosh Chokhani" <SChokhani at cygnacom.com>
To: "pgut001" <pgut001 at cs.auckland.ac.nz>, <rja at extremenetworks.com>
Cc: saag at mit.edu
Date: Thu, 6 Mar 2008 07:26:24 -0500
In-reply-to: <E1JX8nl-0005nH-Rl at wintermute01.cs.auckland.ac.nz>
References: <FAD1CF17F2A45B43ADE04E140BA83D483C50D9 at scygexch1.cygnacom.com> <E1JX8nl-0005nH-Rl at wintermute01.cs.auckland.ac.nz>

Most of the standards are based on the assumption that you have some
software development processes in place and thus will have documentation
on the architecture and design of the product and not just the source
code.

One would think that you would also done some testing based on the
knowledge of the design, interfaces and source code.

-----Original Message-----
From: pgut001 [mailto:pgut001 at cs.auckland.ac.nz] 
Sent: Thursday, March 06, 2008 12:38 AM
To: pgut001 at cs.auckland.ac.nz; rja at extremenetworks.com; Santosh Chokhani
Cc: saag at mit.edu
Subject: RE: [saag] Algorithms/modes requested by users/customers

"Santosh Chokhani" <SChokhani at cygnacom.com> writes:

>I do not think this is a forum for negotiations.

Absolutely, that's why I pointed out that I wasn't taking it as a price
quote,
more to make a point.

>But, we will be happy to do FIPS testing for your product for Level 1
for
>quoted price.
>
>As to algorithms, all FIPS approved algorithms need to be tested.

And there's the rub, it's not just handing over $30K and getting back a
coloured certificate, you need to get the algorithms certified, prepare
a ton
of paperwork, spend a considerable amount of time on this, and that's
where
the $100K all-up figure comes from.  If I could simply hand over $30K
and the
source code *with no further effort or expense on my behalf* I'd jump at
the
chance.

Just to show that I'm not trying to pick on Cygnacom here I'll make this
an
open offer to anyone:

  If I can hand you $30K and a copy of my source code and you can get me
a
  FIPS 140 cert for it without me incurring any additional effort or
expense,
  please get in touch.

>Have you yourself participated in a FIPS evaluation or have you looked
at the
>NIST FIPS 140-2 DTR and FIPS 140-2 IG (i.e. Implementation Guidance)
>available on the Web?

Probably about half a dozen directly (+/- one or two, I haven't kept an
exact
tally), and been involved indirectly in about a dozen more via
discussions
with (and listening to complaining about :-) others going through the
process.
(Again, YMMV, I haven't kept an exact tally on the latter, and in some
cases
it was nothing more than "what did you guys do to get past ...?", and
sympathising with them over problems).

Peter.

References:
- Re: [saag] Algorithms/modes requested by users/customers
  - From: Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/customers
  - From: Peter Gutmann

Prev by Date: Re: [saag] Algorithms/modes requested by users/customers
Next by Date: [saag] How security is maintained by IANA
Previous by thread: Re: [saag] Algorithms/modes requested by users/customers
Next by thread: Re: [saag] Algorithms/modes requested by users/customers
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.