[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: What *is* the power of the FIPS



> -	QUESTION: Just what is the power of the FIPS outside of the 
> interop issues in sending stuff back and forth from federal agencies?

The basic purpose of a FIPS is to instruct governemnt agencies
on what kinds of equipment/software they should buy.
Some FIPSs are mandatory, but most are pretty optional.
However, in this case, the purpose is basically propaganda -
the NIST can set standards, and can announce "Hey, this is standard",
and even try to get other government agencies to buy lots and
lots of Clipperphones.

The so-called FIPS for Clipper was a horrendous abuse of the FIPS process;
I took advantage of my 10 years as a defense contractor to flame out the
proposed spec in great detail.  I don't think I've still got my critique,
but essentially I contended than the proposed "Escrowed Encryption Standard"
didn't describe escrow, didn't specify encryption, and wasn't a standard....
It was fun, if you can do that sort of thing and not inhale :-)

It wasn't escrow, because the functions it describes aren't escrow,
and it doesn't mandate that they be used in a way that performs
escrow functions using the functions it does perform.
It didn't specify an encryption algorithm.
It wasn't an implementable standard, since it didn't contain enough
information for a user agency to specify an equipment design ("ask the NSA" 
just _doesn't_ rate), or for a vendor to validate whether an equipment design
is compliant, or for a user to tell if it's working properly.
From the commentary around the final FIPS, which differed in some detail
from the draft FIPS, it looks like most of the public comments were about
the political issues, but a couple of changes appeared to be responses to
technical details from the public, including things I'd flamed them about.
I don't know how positive I feel about that .....

		Bill