-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 5 Aug 2003, David Laight wrote:

>> Let's read between the lines here:
>
>You missed:
>
>To force departments to buy 'certified' software from specific
>suppliers, effectively stopping and small (and especially foreign)
>companies competing due to the excessive costs of certification.
>
>Some of the EMC tests have much the same effect.

Now this is just silly -- having just come from a small company which
for better or worse sought and received FIPS certification for a network
security product, I'd like to point out that such certification _is_
attainable at a level of expense most small companies can pony up, and
_does_, as the term `certify' suggests, warrant that certain statements
are true of a certified product.

That certain facts about a product's use of crypto are true does not, of
itself, make such a product `secure', of course.  It does answer, in an
agreed-upon way, certain questions which often arise in analyzing the
securability of such a product, however.

There's plenty of snake-oil out there.  To pretend that defined
standards with third-party verification are a step in the wrong
direction makes about zero sense, AFAICT...

- -- 
				Jim Wise
				jwise@draga.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (NetBSD)

iD8DBQE/MCWilGcH240chEIRAltRAJ4oAZKT76LhBgKTzNdk3v7LwW82swCgtKzK
/wksCBEk+HDrwWbD4Z+cAMM=
=Ksgd
-----END PGP SIGNATURE-----