>> (3) being in the USA I would trust a review by the NSA and a very few others.
>The "40 bit keys are all anyone needs" NSA? What's their incentive to
>encourage good firewalls? The Clipper Chip people?
Ok, you want the long form ? I would trust the NSA to follow their charter
as currently directed by the political appointee that runs the place.
One size need not fit all.
Please notice that I said "I would trust..." did not say that any one else
should, YOU have to make the decision who YOU are going to trust. Besides,
not everyone on this list is in the USofA so some would probably be better
served by asking the Mossad for advice. You have your phone numbers, I have
However, if I had a candidate FireWall and the NSA/NCSC had looked at it and
when I asked they said something like "we know of no reason to exclude it from
consideration" (don't expect to get an unclassified declaritive sentence
from a NSA rep on duty beyond "it's a nice day"), it would probably stay
in contention (same goes for engineers 8*).
>OK folks, imagine there was to be a firewall certification authority. Who
>would you want them to be? Who do you trust?
I suspect that there is no one good answer to that since the question really
is "who do you trust to put your interests at least as high as their own".
For some lurkers, the answer might be "Emmanuel Goldstein", others "Arthur
Anderson", "Kroll Associates", or "my mother" - and *in their context*
each would be correct.
Of course, if you add "who is *competant* to certify a firewall, then the
list gets a whole lot shorter. Add "purely objectively" and we are down
to zero (a shame but true). Magazines try to be objective but typically
lack technical expertise and those tecchies on call are rarely unbiased.
So it comes down to "of those who are competant and whose biases will
probably coincide with those of my employer in this matter" and I said
"the NSA is one".
ps "the buck stops here"