NIST introduced a new version of FIPS 140-2 Annex A this month. A year ago, NIST changed the same document to include reference to FIPS 186-3, an updated version of its Digital Signature Standard. The disturbing news a year ago was that new media blocks would have to incorporate an additional digital security certificate to pass FIPS testing. It’s now one year later, and the industry still has no method in place for managing this additional certificate.
Necessity is the mother of invention, and NIST has been doing its part to hedge necessity and support procrastination. Its latest version of FIPS 140-2 Annex A continues to point to both 186-2, the DSS version upon which the DCI spec was built, and 186-3, the DSS version NIST wants all industries to migrate to. Last year it hinted at a deadline for this transition of December 31, 2010. With that deadline now past, NIST has yet to state what’s on its mind.
One media block company reports its need to move forward with FIPS 140-2 testing, anyway. To do so, it was required to add the additional certificate and accordingly split the media block security roles among the two digital certificates. Even with such new technology moving forward, DCI has been complacent in addressing the problem. The changes required of SMPTE standards are relatively small in scope, while the changes required by DCI in its spec are more significant. DCI has been complacent in moving forward with either effort.
The proposed solution is pictured below. The new 2nd certificate must be assigned a new role (a type of classifier), and it will be up to SMPTE to document this new role in an amended version of 430-2 Digital Certificate.