On Tue, Oct 7, 2008 at 5:22 PM, Subrata Mazumdar <[EMAIL PROTECTED]> wrote: > I guess that the problem is in documentation and the PSM GUI. The PSM > GUI should have clearly stated > the password policy requirement in the password change dialog window. > Also, NSS should have enforced the FIPS password policy during the FIPS > enablement. It should not > have enabled the internal token for FIPS with non-complaint password.
...which means that the FIPS token code needs to be changed, which requires a new FIPS validation procedure. Unless it can be handled by a "vendor letter change"? I'm not a FIPS validation expert, but it's a problem with the code which is already validated (the token is passed the password to initialize itself). I'm still wondering how the FIPS code is guaranteed to be stable (and hence can be called FIPS-validated in every build), since CVS is very easy to tamper with by anyone who can run cvsadmin or has physical access to the machine the repository is on. Is there an original submission tarball somewhere that it can be periodically audited against? -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
