[saag] Algorithms/modes requested by users/customers

Randall Atkinson rja at extremenetworks.com
Sun Feb 17 20:06:44 EST 2008 

Earlier Paul Hoffman said:
% If you had instead said "have been (or at least could be) evaluated",
% I would agree with you. Buyers want to know that, if pressed hard,
% they can say "well, it is like that other system over there that got
% certified", and to do that, the uncertified system has to at least
% support all the right crypto. There is a noticeable but
% non-quantifiable preference for systems with a FIPS 140 certificate,
% but (outside the USGovt, of course) nearly no hard demand.

It seems that what you are hearing and what I am hearing
differ somewhat in this area.

As an example, I've had multiple large non-US commercial firms
in the City of London tell me that they require FIPS-140 approvals
for cryptographic equipment they will purchase -- and that this
was originally the idea of their insurers.   These same firms have
very substantial networking deployments at present and purchase
equipment in large quantities.

Separately, several governments other than the USA are requiring
FIPS-140 approvals in equipment that they purchase.  These
other countries include places in Europe and Asia/Pacific and
other continents/regions.  Again, the volume of such systems is
both non-trivial and quantifiable.

% It would be a mistake for the IETF to look like we support
% the FIPS 140 certification process,

So far as I am aware, your comments above are the first suggestion
of that.  Certainly I did NOT suggest that and don't suggest it now.

% even though it makes good sense for us to use the algorithms in
% that process as the basis for a suggested cross-IETF algorithm suite.

That is farther than I went.  I simply suggested that there ought to
be open specifications for how to use FIPS-conformant algorithms
and modes with Internet protocols.  An "open specification" could be
an Informational status RFC, for example.  That way users who
do care about FIPS approvals would have a reasonable shot at
being able to  purchase interoperable equipment from multiple vendors
-- and implementers would have a clear specification to work with.

I did not (and do not now) advocate that the IETF standards track
ought to do any particular thing with respect to cryptographic
algorithms/modes.

Yours,

Ran Atkinson
rja at extremenetworks.com

More information about the saag mailing list