Information Technology Reference
In-Depth Information
see the various certification organisations cooperating and saving me the need to have the
certificate; it costs me about 200,000 dollars to have the FIPS140 certificate issued. It is
a long and excruciating process in which they examine the software and the
implementation of the algorithms and the self-test, and if it is a level three certification
they go through the nuts and bolts that made the enclosure, etc. It is about a two-year
process and very expensive. For me to go through both FIPS and common criteria means
I have to double the efforts. We end up doing it when it is necessary, but our policy is to
go first to the American FIPS140. The FIPS140 and common criteria are a little bit
different from a security point of view in that they examine different issues, but generally
speaking they are very similar concepts. You also have to understand that the security
validation process is a business and people make money from it. So for example, in this
device that I showed you, we went through a FIPS140 validation process and we ran out
of power supplies. The power supply series we were using is not produced any more, so
we had to use a different supply. A different supply has certification and an electrical
power supply certainly has nothing to do with security features, but I cannot replace the
power supply without re-certifying the FIPS process. Re-certification cost 18,000
dollars. When you ask me to go through both common criteria and FIPS you are
basically asking me to fund two security-validation organisations, so we do it only if it is
necessary. In addition, certain organisations require a separate validation; for example,
EMC requires a Bruckner. Bruckner and his team went through all our sources, through
a terrorism examination and then gave us specific validation for EMC. When we sell to
Deutsche Bank, it requires us to open the sources to a third party and go through the
validation. When we sell in Singapore they tear us apart and make our lives a complete
misery. We do it if it pays. This is of course a legitimate concern and certainly a
legitimate request. Some customers of ours are less horrid because once we have sold to
Deutsche Bank and various military organisations, etc., they assume it is fine.
Concerning authentication, the two problems are separate problems. I have a solution
for your authentication problem. I sell authentication solutions; I can offer a number of
very strong authentication mechanisms that I recommend that you use, but I do not force
you to do so. You can use my products or you can use someone else's products. You can
have two video cameras on each laptop with a mechanism that measures the temperature
in your ear and you do not let anyone enter your system without your verification. It is an
octagonal problem and we find a good solution for your specific problem which we then
deploy. Perhaps you will decide that some users require the ear temperature mechanism
and, for some people, the use of a password is good enough. It is, as I said, an octagonal
problem and if you try and tie the two together you begin a complicated system again.
So with authentication laws, the American digital signature law is the easiest to pass. It
is very general and not very specific in terms of mechanisms and technology. In almost
all European Union directives, the EU has is own signature. Each country in Europe has
signature laws. We are compliant with EU signature laws; in fact we are compliant with
most digital signature laws in most countries. I cannot say for a fact that I have been
through each and every country to make sure that I have a legal opinion, but generally
speaking we are compliant. And let me maybe explain this in slightly more detail. All
digital signature laws talk about two different signature mechanisms; one is called
electronic signature which is a very weak form of signature and basically any electronic
record that you have is compliant with the electronic signature. In other words, if you
write in some file that Gadi downloaded on Saturday 13
th
, that is fine; but if you scan
someone's signature and paste it onto his word document, that is an electronic signature.
Search WWH ::
Custom Search