Paul Wouters wrote: > So while I just added a check, it should be completely redundant.
Depends. I'd be wary of a system that proclaims itself FIPS enabled without 'seeing it with my own eyes'. So I am not convinced this is redundant. > Those are done within the libraries and applications. Libreswan has > its own file list check, but does not check the NSS files. That's > the job of NSS itself on its initialisation phase. Yes, although the system perspective is a bit different. While we all benefit from crypto libraries and applications that support FIPS mode, none of them are integrated into any specific system. For instance if the system at boot finds a FIPS-related error then it should stop everything. For instance binary integrity failure. Report using one of the FIPS logical interfaces and reboot. No library or application will do that. At runtime, at the service and protocol level, an error would be surfaced, and there also a link to assure a predictable system behaviour in that case has to be established. Which would be basically the same. Stop everything, report, reboot. In simple one-binary-firmware embedded systems it can be simple. In a unit using OpenSource components, a detailed approach has to be developed. It is still a Wish that OpenSource applications and libraries in general should log errors in a standardized way, thus providing not only error-free runtime parsing of log messages, but assurance that critical errors do get logged. OpenSSL for instance will abort if an app tries to use a non-FIPS algorithm while running in FIPS mode. > It has passed FIPS certification in a very recent past, and is in > the process of another couple of certifications right now. I think > we're good :) Excellent ! :) -- View this message in context: http://mozilla.6506.n7.nabble.com/Using-NSS-in-FIPS-mode-tp350446p350523.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
