Joseph Dal Molin wrote: > Say there was one, FDA....etc. approved version of Linux....perhaps the NSA > version would be a good place to start...would that not encourage the use of > Linux? What might at first seem like an onerous hurdle could in fact be a > blessing if there were a way to fund such an effort. > I don't think the FDA 'endorses' any particular bit of technology. What they are primarily concerned with is a concept they call consistency.
Consistency is meant to apply over a complete system: All IT components. All operating procedures. All relevant data sets. To get FDA approval one must undertake a certification process of the entire system. The certification process demonstrates that the entire system generates consistent results, that is given a set of inputs, it always generates the same outputs even when you include people in the system! In this context of systems, certifing one bit or all IT components independently of one another does not achieve the desired result. This is actually a very smart approach, it mimics very well what the best of the security community describes as best practice: End to end systems behavior is what is important: To give an example from the security realm: In the early implementation days of SSL, folks were quite overwhelmed by the elegance and sophistication of the PKI algorithms. This was great stuff.. But it soon became apparent that a implementation flaw in just one simple part of the system rendered the sophisticated PKI algorithms useless, i.e. a poor random number generator allowed one to predict the keys rather than try to break them! I clearly remember the e-mail that Tahar El-Gamal sent out profusely apologizing for one of these implementation errors on his watch at Netscape.
