The Certification Ends Where the Code Begins 0 ▲ UNMITIGATED RISK 2 hours ago · 6 min read1183 words · Tech · hide · 0 comments Disclosure: I am an advisor to Binarly. I recently built the FIPS 140-3 Corpus, a dataset that pulls together the public record of FIPS validations. It combines CMVP certificate records, Security Policies, implementation details, operational environments, firmware versions, algorithm claims, and lifecycle data into something you can actually query and analyze rather than read one certificate at a time. I built it because I have spent enough years around certification programs to know that the interesting information is rarely in any single document. It emerges when you look at the record as a system. Once you do, a pattern shows up that I think deserves more attention than it gets. The public evidence tells you a great deal about what was evaluated and almost nothing about whether the code that shipped actually behaves the way the evaluation assumed. What the paper trail shows When you read Security Policies in bulk, you start seeing the same dependencies over and over. Validated… No comments yet. Log in to reply on the Fediverse. Comments will appear here.