OpenSSL loses FIPS 140-2 Certification (Or Not) 102
OhHellWithIt writes "Government Computer News reported on Tuesday that OpenSSL has lost FIPS 140-2 certification, only six months after receiving it. It sounds like bad news for those of us who would like to see open source gain more of a foothold in U.S. federal workplaces." Readers have updated this story with an update saying the certification has shifted again.
Reasons Not Given? (Score:5, Insightful)
This is one of the most ridiculous statements I've ever read. How is the problem supposed to be fixed if the vendor is never told what the problem is, and so what if it's proprietary? When I read a statement like this it suggests to me that there's doesn't have to be a method behind how they determine what's rejected and what's not, the person(s) deciding could have simply had a proprietary "I'm in a bad mood today and want to take it out on someone" reason.
Politics != Security (Score:5, Insightful)
This doesn't bother me so much on its face; OpenSSL can only get better after this intense review. What bothers me is that the "opposing forces" are not likely receiving the same level of scrutiny and yet presumably are fully certified for sensitive information by the US government.
But of course they can't release the code for everyone else to review. People might steal their ideas, right? So how do we know they are secure rather than "mostly secure"? Or even worse, that they are "sort of secure, but the right people were taken out to dinner."
Re:Weasel words (Score:3, Insightful)
Re:FOIA? National Security?? (Score:1, Insightful)
Re:I'm guessing (Score:2, Insightful)
I of course, can't really back that up, but that's what it seems like to me.
Re:Stupid Politics (Score:4, Insightful)
It should have nothing to do with the recipient of the certification; it should be based on whether the product meets certain well established and reasonable criteria, given the best information at the time.
Furthermore, it makes sense not to tell the world exactly what the vulnerability you found which caused the product to be decertified, until your agencies can stop using it, which is not overnight.
However.
What doesn't make sense is concealing this from the organization that obtained the certification to begin with, and presumably could save the Federal government much cost and inconvenience by addressing the problem. IN fact, it's terrible.
How can we know this wasn't done as favor to a political contributor?
We can't.
Even before 9/11, the stance of this administration has been that explaining its reasons for doing things -- only in certain situations mind you -- unduly hampered it's ability to get frank and unvarnished advice from industry. Leaving aside that no presidency in living memory ever felt this to be a problem, we have to decide. We either can know that our officials aren't taking payoffs, OR we deprive those officials of advice whose nature is such that if we knew what it was there would be a public scandal.
If that last sentence seems hard to parse, it's because it doesn't make any sense. The underlying premise is absurd: that public officials need to be able to do shameful things.
Re:Reasons Not Given? (Score:2, Insightful)
think about it, if they told you why they rejected you, you could tell someone else what to do in order to pass that part of the test, thus jeopardising the validity of future tests.