[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FIPS-140 required?

To: dan_york@xxxxxxxxx
Subject: Re: FIPS-140 required?
From: Richard Barnes <rbarnes@xxxxxxx>
Date: Tue, 06 Feb 2007 11:09:57 -0500
Cc: Cullen Jennings <fluffy@xxxxxxxxx>, Dan Wing <dwing@xxxxxxxxx>, ietf-rtpsec@xxxxxxx, owner-ietf-rtpsec@xxxxxxxxxxxx
In-reply-to: <OF4CA68AF7.59F3B6DE-ON85257279.0002274B-85257279.00033872@xxxxxxxxx>
List-archive: <http://www.imc.org/ietf-rtpsec/mail-archive/>
List-id: <ietf-rtpsec.imc.org>
List-unsubscribe: <mailto:ietf-rtpsec-request@imc.org?body=unsubscribe>
References: <OF4CA68AF7.59F3B6DE-ON85257279.0002274B-85257279.00033872@xxxxxxxxx>
Sender: owner-ietf-rtpsec@xxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.9 (Windows/20061207)

I don't think that anyone was proposing that there be a "FIPS 140-2requirement" added to any IETF standards -- I think that would beunprecedented. What I was proposing, at least, was that we not doanything that would make FIPS 140-2 evaluation especially difficult.What that entails is essentially providing a clean separation between"security-relevant" data items and functionality (e.g., keys, IVs, etc.)and other parts of the protocol (e.g., sequence numbers, SSRCs).

While this is motivated by suitability for FIPS 140-2 evaluation, itseems like the actual effects on the protocol would be positive withrespect to other accreditation standards, and good protocol design ingeneral.


--Richard


dan_york@xxxxxxxxx wrote:

Dan,
Cullen's note reminded me that I also wanted to reply... with twodifferent hats:
Yes, we are occasionally seeing RFPs that state a FIPS-140 requirementfor any encryption, including that of SRTP. They are typically fromgovernment or occasionally financial institutions.
  (with my guy who works at Mitel hat)
I am assuming this is probably true, but I want to just state it so thatit's out in the open - I'm not entirely sure why you are asking, Dan,but I would certainly NOT want to see any changes to SRTP RFCs or otherdocuments that made FIPS-140 certification either a requirement or adefault for SRTP. I would like to see (and believe you do too) SRTPadopted widely and would not want to set up barriers that might get inthe way of a startup or other companies implementing SRTP (or using itas an excuse for why they can NOT implement SRTP). There's also the weelittle detail that FIPS is only a US government standard (althoughvarious other countries do follow it).
Again, I'm assuming you are not doing this, but with such a crypticquestion, I thought I'd just state that to be clear.
(with my guy who works with VOIPSA and wants to help encourage betterVoIP security throughout the industry hat)
Dan-who-has-too-many-hats

--
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel Corp.     http://www.mitel.com
dan_york@xxxxxxxxx +1-613-592-2122
PGP key (F7E3C3B4) available for
secure communication




	*Cullen Jennings <fluffy@xxxxxxxxx>*
Sent by: owner-ietf-rtpsec@xxxxxxxxxxxx

02/04/2007 11:36 AM
To: Dan Wing <dwing@xxxxxxxxx>
        cc:        <ietf-rtpsec@xxxxxxx>
        Subject:        Re: FIPS-140 required?






On Jan 26, 2007, at 2:54 PM, Dan Wing wrote:

 >
> Is anyone seeing a requirement for FIPS-140 for products that> implement
 > SRTP?


Yes

(with my guy who works at cisco hat:-)

References:
- Re: FIPS-140 required?
  - From: dan_york

Prev by Date: Re: FIPS-140 required?
Next by Date: Re: FIPS-140 required?
Previous by thread: RE: FIPS-140 required?
Next by thread: RTP UDP audio max packet size per codec
Index(es):
- Date
- Thread