Theo, As am I, which was the point of the post :). Too many people, in my experience, spend time trying to certify just their solution, and don't take the interfacing systems into consideration.
What good is certifying one part of a system when you have crap application code? All it means is that your "pwnage" takes place over a FIPS 140-2 certified secure channel. Too many people use that as an excuse to not do security elsewhere. Many of these people are trying to get Microsoft-based security solutions accredited, and use it as a check box on some spreadsheet to convince management that their solution is more secure just because of a certification that gets invalidated every time you patch the system (Patch Tuesday, anyone?), or change the system so that it doesn't match the baseline. I've seen too many people try to spread the FIPS or Common Criteria magic dust over bad code to get it certified. It doesn't matter what OS you run. Bad code is universal, and completely invalidates any security certification of the underlying system. Mitch -----Original Message----- From: Theo de Raadt [mailto:[EMAIL PROTECTED] Sent: Thursday, March 13, 2008 12:02 AM To: Mitch Parker Cc: Ryan McBride; misc@openbsd.org Subject: Re: FIPS 140-2 > What good is an OpenBSD system running with a FIPS 140-2 certified > cryptographic component handling SSL and SSH (using AES-256) if the > interfacing systems aren't also well-protected, and your applications > running on the system don't have safeguards against malicious usage? You're right -- better go back to Windows running FIPS 140-2 certified components.... I'm very very cynical about FIPS.
