(Great to see the discussion re-started, but I guess we can afford more than one subject line:-)
On 01/23/2014 03:54 AM, [email protected] wrote: > Those of us who deal with FIPS 140 and Common Criteria are now being asked > to document entropy sources, First, my sympathies for having to deal with that. But I do wonder to what extent we're finding such evaluations really useful. I know they are formal form-filling requirements in various contexts, but I'm not so sure I'm that comfortable treating them as a first order requirement when it comes to things we do in the IETF. I have seen a number of credible arguments that such schemes, as applied to crypto implementations, are actually counter- productive. So - how important is it that any new work in the IETF on this topic be consistent with a requirement for implementations to be evaluated via such schemes? My take would be that that's not hugely important and should lose out to "doing the right thing," but given that some folks do need to suffer such evaluations, we should think about 'em but treat any evaluation-scheme-specific requirements only as nice-to-have level requirements. I expect vendors who are forced into doing it might disagree though. S. _______________________________________________ dsfjdssdfsd mailing list [email protected] https://www.ietf.org/mailman/listinfo/dsfjdssdfsd
