LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Congress would give us a "fair compromise"

Congress would give us a "fair compromise"

Posted Jul 29, 2008 17:22 UTC (Tue) by dmarti (subscriber, #11625)
Parent article: Schneier on free software and liability

In theory this makes sense. But in the US political system, the big telcos, cable companies, incumbent IT and CE vendors, and copyright cartels "compromised" on the DMCA without including authors, readers, or libraries (or Bruce Schneier).

So why wouldn't big software companies and large software customers "compromise" on a software liability measure that excludes direct-to-user free software?

The Radio Act of 1927 took a thriving broadcast amateur radio scene (the first sports broadcast was a ham covering a boxing match) and effectively shut it down -- no music or general interest talk allowed. Liability could easily give us something similar for sites hosting free software.

(Log in to post comments)

Congress would give us a "fair compromise"

Posted Jul 29, 2008 17:59 UTC (Tue) by drag (subscriber, #31333) [Link] 

They (closed source vendors) have tried to do this to stop people from using Free software for
anything involving government or state contracts that involve crypto.

When OpenSSL tried to get it's FIPS certification over and over again closed source vendors
raised objections after they received the cert and got it stripped. It took many successful
certifications until they got one that stood up against the closed vendor's objections.

----------

BTW.. The other open source library that is approved is NSS. 

Which is probably one of the big reasons Redhat is trying to standardize it's distribution
around that single crypto module. Which, from my perspective, is pretty good idea.

So if anybody reads this that cares it would be advantagious to make sure that any crypt you
write into programs can be made to use NSS or OpenSSL. :)

Congress would give us a "fair compromise"

Posted Jul 31, 2008 11:02 UTC (Thu) by cortana (subscriber, #24596) [Link] 

Out of interest, what is that FIPS certification good for? Does it cover a particular release
of OpenSSL? Binaries of it complied with particular options? Binaries of it compiled on
particular systems with particular compilers and linking against other libraries that were
compiled with particular options?

What happens when a distributor comes along and distributes their own version? I'm thinking of
a certain Linux distribution that was in the news not-so-long-ago here... :)

FIPS certification

Posted Jul 31, 2008 16:43 UTC (Thu) by james (subscriber, #1325) [Link]

https://fedoraproject.org/wiki/FedoraCryptoConsolidation says:
Products that perform cryptographic operations must be formally validated against the FIPS 140 specifications in order to be sold to the US Government. In addition, some businesses use FIPS 140 as a measure of quality of a given technology.
and
NSS, in contrast, allows all applications to inherit the NSS FIPS validation status by following some simple rules detailed in the NSS security policy document.
Hope this helps.

FIPS certification

Posted Aug 1, 2008 11:05 UTC (Fri) by dps (subscriber, #5725) [Link] 

I work for an company thay sells hardware security modules that are FIPS 140-2 level 3
certified in various shapes. One of the options is to limit the hardware to FIPS 140-2, and
the documentation explicitly states this does not improve security. The certification allows
organisations that want it to tick a FIPS 140-2 level 3 box.

I am fairly sure that your FIPS compliance certificate only applies to a single version: any
change inside the security boundary requires a new certificate.

OpenSSL and NSS cannot achieve FIPS 140-2 level 3 because this includes some physical security
properties which is clearly impossible for downloadable software to implement.

Congress would give us a "fair compromise"

Posted Jul 30, 2008 0:24 UTC (Wed) by clugstj (subscriber, #4020) [Link] 

In what "theory" does this make sense?  The last thing we need is more government
intervention.  Software is buggy because the customers put up with it for the price they pay.
When customers care more about quality than they do "features", the quality will go up (and so
will the price by the way).

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds