[Discuss] Good and Bad Crypto
Richard Pieri
richard.pieri at gmail.com
Thu Apr 24 19:46:00 EDT 2014
Mike Small wrote:
> Btw. if having source code adds no value for verification, why do the
> FIPS CMVP procedures ask for it for the "Design Assurance" part of their
> review?
> http://csrc.nist.gov/groups/STM/cmvp/documents/CMVPFAQ.pdf
I'm surprised that nobody has chimed in on this one, yet, since quite a
few of you have experienced ISO 9000 certification procedures. It's the
same reason: documentation. Part of the validation process is
examination of documents related to the product to ensure consistency
with the submitted profiles. This includes comments in the source code.
--
Rich P.
More information about the Discuss
mailing list