Subject: Re: NetBSD US Government Certified?
To: David Laight <email@example.com>
From: Jim Wise <firstname.lastname@example.org>
Date: 08/05/2003 17:46:05
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 5 Aug 2003, David Laight wrote:
>> Let's read between the lines here:
>To force departments to buy 'certified' software from specific
>suppliers, effectively stopping and small (and especially foreign)
>companies competing due to the excessive costs of certification.
>Some of the EMC tests have much the same effect.
Now this is just silly -- having just come from a small company which
for better or worse sought and received FIPS certification for a network
security product, I'd like to point out that such certification _is_
attainable at a level of expense most small companies can pony up, and
_does_, as the term `certify' suggests, warrant that certain statements
are true of a certified product.
That certain facts about a product's use of crypto are true does not, of
itself, make such a product `secure', of course. It does answer, in an
agreed-upon way, certain questions which often arise in analyzing the
securability of such a product, however.
There's plenty of snake-oil out there. To pretend that defined
standards with third-party verification are a step in the wrong
direction makes about zero sense, AFAICT...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (NetBSD)
-----END PGP SIGNATURE-----