Jim, Knoke, Jim wrote: > I see that NSS can be used for a number of applications in order to make > those apps FIPS-certified, but I'm not clear on whether it can be used > for IPsec. Will an IKE daemon like raccoon actually use the NSS stuff? > Would ESP functionality buried in the network stack use the NSS > algorithms? I'm not sure how all this stuff fits together. > > I am trying to put together an IPsec solution for government customers > who want the algorithms to be FIPS approved. I'd like to use open source > software and Linux. I'm not seeing other native and open source crypto > stuff for Linux that is FIPS certified, except for OpenSSL. And I'm > thinking that OpenSSL can't help me with an IPsec implementation, but > maybe I'm wrong. > > Thanks for any help.
If you are using NSS only from a daemon, then that could work. But if you need it at kernel priviledge, keep in mind NSS is a set of libraries designed for user processes only. I don't know enough about IPSec to know if NSS implements all the required algorithms for it. Probably not, since we never made any efforts in that direction. You might still be able to find another PKCS#11 module that implements the missing algorithms, and use it in conjunction with the NSS library in your daemon. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
