[zeromq-dev] CurveZMQ non-technical issues

Pieter Hintjens ph at imatix.com
Mon Apr 20 20:18:53 CEST 2015


There is no restriction on the use (as such) of uncertified security
algorithms. Some bodies may demand FIPS certification for any security
products they use. This would then exclude CURVE, CurveZMQ, NaCl, and
any other uncertified (and uncertifiable) algorithms.

Anyone wishing to *sell* security products to such customers is more
than welcome to build a FIPS certified mechanism and contribute that
to the ZeroMQ community.

In 2015 we have understood that FIPS certification tends to mean "more
breakable", rather than "more secure". I don't think anyone sincerely
trusts NIST security standards.

This is not a case of bureaucracy getting in the way of security. It
is rather, bureaucracy being used to deliberately weaken the security
products used by networks that certain agencies feel it would be
profitable to be able to monitor.

We don't have any strong opinion on this, which is why ZeroMQ has
extensible security mechanisms, and why we would happily accept money
to develop mechanisms that can be FIPS certified.

-Pieter

On Mon, Apr 20, 2015 at 6:44 PM, Stephen Hemminger
<stephen at networkplumber.org> wrote:
> Is anyone doing anything about CurveZMQ and compliance?
>
> Right now we may not be able to use CurveCP/NaCl because of FIPS
> and possible crypto export bureaucrats. It seems only OpenSSL
> is allowed.
>
> This is a case of bureacracy getting in the way of security.
> Surely other people have run into the same problem.



More information about the zeromq-dev mailing list