If a vendor backdoors a product, and it is discovered by a researcher. Why would an org EVER trust that vendor again?
@bertjwregeer can you cite an example of FIPS-140 mandating a vendor who has a documented *clear* backdoor? please? =)
-
-
@attritionorg RSA bsafe just got pulled, since it only implemented dual ec crap for random number stuff. -
@bertjwregeer did FIPS-140 mandate RSA BSAFE toolkits specifically? -
@attritionorg no, but fips 140 was a requirement and the only vendor allowed to supply the implementation that was certified was rsa bsafe -
@bertjwregeer so 2 documents/requirements would show that ultimately? can you send me links? -
@attritionorg nope, this is not a public project. -
@bertjwregeer FIPS-140 is public... no? -
@attritionorg yes, but the contract requiring rsa's bsafe implementation of fips 140 crypto is not public. -
@bertjwregeer that contract from the gov? if so, maybe open to FOIA? - 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.