[Esapi-user] [Esapi-dev] ESAPI 2.0 production status

Mike Boberski mike.boberski at gmail.com
Wed Jan 12 18:41:42 EST 2011


What is the result / goal of this NSA review?

Will this result in a specific version of ESAPI being:

   - CMVP/CAVP FIPS 140 validated, and/or
   - NIAP CC validated, and/or
   - Entered into some "NSA approved" registry,
   - Etc.

Are there plans to get ESAPI re-reviewed after all of these changes to
address NSA questions, to ensure addressed to their satisfaction? Will
non-NSA e.g. Walton changes be reviewed by NSA to ensure they don't undo NSA

Where will all NSA analysis and responses be posted so that claims of
working with them and so on may be independently verified by consumers? This
is not a flip question, certain people / segments of the population may be
concerned that e.g. back doors are somehow being engineered in.

How will users know they are using the blessed / certified version? How will
they know they are using it correctly? Is NSA blessing not just the crypto
but all of ESAPI? What specifically are they standing behind with their
review and recommendations? ESAPI's a mix of toys and tools, and more toys
and tools than just cryptographic security functions.

Many more questions along those lines. Maybe let us start here though. The
questions are from the perspective of a prospective adopter who has
requirements to use one or more of: CC validated, FIPS 140 validated, or NSA
approved cryptography.

Please keep in mind I'm trying to help. OWASP needs a much stronger
productization function that it currently has; right now ESAPI is all I care
about in terms of trying to help figure things out.


Mike B.

On Mon, Jan 10, 2011 at 11:15 PM, Kevin W. Wall <kevin.w.wall at gmail.com>wrote:

> On 01/08/2011 06:24 AM, Jim Manico wrote:
> > ESAPI Community,
> >
> > We recently received feedback from the NSA (and from Mr. Walton) on our
> > Encryptor implementation. Other than a few issues, which can be fixed in
> > short order, it was a generally positive review. Kevin Wall will email
> more
> > details on this soon.
> Note... I posted on re: this on 1/8 at 5:32pm US/Eastern time, but the
> message
> is "stuck" awaiting moderator approval because of the size of the
> attachment
> (a PDF of Jeff Walton's analysis of ESAPI's
> CryptoHelper.computeDerivedKeys()).
> I am not sure how much longer it will be until it is approved, but ask for
> your patience.
> Thanks,
> -kevin
> --
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110112/359e1c24/attachment.html 

More information about the Esapi-user mailing list