At 03:56 PM 6/28/2007, Dave Jevans wrote: >We very specifically say "Compliant" rather than "Validated" on our website.
I think the problem with claiming "compliance" is that the word is a synonym for "conformance," but to "conform" with FIPS 140-2 (the current "blanket" standard) a module *must* be validated: "Cryptographic modules that are validated under the CMVP will be considered as conforming to this standard." (FIPS 140-2, section 10, p. iv) The only exception is made above that in section 7 where it states: "Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against this standard." If your module hasn't been validated and hasn't been approved for classified use, it doesn't conform with FIPS 140-2. To claim otherwise constitutes fraud. >We are working with a lab to assist us through the FIPS 140-1 >validation process. -2? -1 died an unhappy death several years ago. >We says FIPS Compliant on the website, rather than FIPS Validated, >because we have crypto components that have passed FIPS validation, >but our overall product is in process. Once the full product has >been validated, we will update the site from Compliant to Validated. Then perhaps it would be more accurate to claim "compliance" with one or more specific algorithm FIPS (AES, etc.) rather than blanket "FIPS compliance" which could too easily be read as "FIPS 140-2 compliance." -mjm _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
