[Dnssec-deployment] SCA6000 users [Re: SUN SCA6000 FIPS 140 certification]
Paul Hoffman
paul.hoffman at vpnc.org
Mon Mar 28 13:32:44 EDT 2011
> Not sure how familiar you are with FIPS140-2
Extremely. (Hint: I often write docs for NIST.)
> , but it is a broad
> certification of various aspects of security of a system to be purchased
> for use by a US Government entity for cryptographic purposes.
Right. Which TLDs are USgovt entities?
> As to why, for governmental TLDs (.mil and .gov) it's probably
> manditory.
Other than those two, I meant. :-)
> For others it provides a stong indication that a device is
> secure.
We disagree here. FIPS 140 shows that the device does its cryptography correctly when the device is set to be in FIPS mode. Many devices that are not FIPS-certified can be shown to be cryptographically correct, and many FIPS-certified devices cannot easily be run in FIPS mode.
> This is especially important when private keys are stored
> "on-line".
We disagree here as well, given that FIPS 140 testing has nothing special for "on-line" mode.
--Paul Hoffman
More information about the Dnssec-deployment
mailing list