Re: nickname and FIPS mode password length restrictions

Wed, 20 Sep 2006 12:02:56 -0700 

Nelson B wrote:

David Stutzman wrote:
Hopefully these will be relatively easy questions for you guys. I'm asking about the internal softtoken. 

Is there a max length for a cert nickname?

    


I think NSS imposes no maximum.  I suspect that values longer than
about 15KB will not work.  :)  In practice the name should be short
enough to be easily displayed on one line in a cert selection dialog.


  

What is the min/max password length when the module is operating in FIPS 
140-2 mode?
    


Wan-Teh will have to answer that.  I think it has changed recently.
It seems that the requirements have changed since the last time NSS was
FIPS 140 evaluated, or at least our new test lab interprets them very
differently.

  

see: http://wiki.mozilla.org/Security_Policy#Specification_of_Roles


In FIPS mode, the NSS cryptographic module imposes the following 
requirements on the password.


   * The password must be at least seven characters long.

   * The password must consist of characters from three or more 
character classes. We define five character classes: digits (0-9), ASCII 
lowercase letters, ASCII uppercase letters, ASCII non-alphanumeric 
characters (such as space and punctuation marks), and non-ASCII 
characters. If an ASCII uppercase letter is the first character of the 
password, the uppercase letter is not counted toward its character 
class. Similarly, if a digit is the last character of the password, the 
digit is not counted toward its character class.




  

I've read in the past somewhere something about needing to enforce the 
minimum password length for FIPS mode in the future as it's not being 
done now.  I have some modules in FIPS mode and when I query the minimum 
password length with PK11_GetMinimumPwdLength it reports 7 but I am 
currently using a password of length 4 and everything is working just 
fine.  
    


That doesn't sound right (to me).
Are you sure you're running in FIPS mode?


  

I just want to make sure things will work ok in the future when 
the final FIPS approved version of NSS comes out.
    



  


_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to