Cullen's note reminded me that I also
wanted to reply... with two different hats:
Yes, we are occasionally seeing RFPs
that state a FIPS-140 requirement for any encryption, including that of
SRTP. They are typically from government or occasionally financial
institutions.
(with my guy who works at Mitel
hat)
I am assuming this is probably true,
but I want to just state it so that it's out in the open - I'm not
entirely sure why you are asking, Dan, but I would certainly NOT want to
see any changes to SRTP RFCs or other documents that made FIPS-140 certification
either a requirement or a default for SRTP. I would like to see (and
believe you do too) SRTP adopted widely and would not want to set up barriers
that might get in the way of a startup or other companies implementing
SRTP (or using it as an excuse for why they can NOT implement SRTP). There's
also the wee little detail that FIPS is only a US government standard (although
various other countries do follow it).
Again, I'm assuming you are not doing
this, but with such a cryptic question, I thought I'd just state that to
be clear.
(with my guy who works with VOIPSA
and wants to help encourage better VoIP security throughout the industry
hat)
Dan-who-has-too-many-hats
--
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel Corp. http://www.mitel.com
dan_york@xxxxxxxxx +1-613-592-2122
PGP key (F7E3C3B4) available for
secure communication
Cullen Jennings <fluffy@xxxxxxxxx> Sent by: owner-ietf-rtpsec@xxxxxxxxxxxx
02/04/2007 11:36 AM
To:
Dan Wing <dwing@xxxxxxxxx>
cc:
<ietf-rtpsec@xxxxxxx>
Subject:
Re: FIPS-140 required?
On Jan 26, 2007, at 2:54 PM, Dan Wing wrote:
>
> Is anyone seeing a requirement for FIPS-140 for products that
> implement
> SRTP?