>I work at the U.S. Census Bureau and would like to use Kerberos 5 as our >network authentication protocol. The only problem is that for us to meet >our Certification and Accreditation and use Kerberos 5, it must be >certified under NIST 140-2. Do you have plans to have version 5 certified? >My understanding is that version 4 was.
You of course have to decide what you want to do. I will only point out that the Department of Defense has set minimum required versions of open-source software the clearly has never been certified under FIPS 140-2 (well, okay, they don't use crypto modules which have been certified, but you knew that's what I meant); that tells me that at a DoD level, they seem to not care about FIPS 140-2. So I would question the practical relevance of FIPS 140-2 when using open-source software today. I may be wrong, but I do not believe any implementation of Kerberos 4 ever went through a FIPS certification process; what you may be thinking of is that some implementations of DES that met the original FIPS requirements for DES could say that they were certified under some later specification (it's been a while, and I think I've forgotten many of the details). When I looked into this for Kerberos, doing the certification cost around $25,000-$35,000 and took a couple of years. And having seen presentations from the people who did the work to get OpenSSL FIPS-certified, it seems that NIST is actively hostile to open-source software. If you have a a chunk of money sitting around and a few years to spend jousting at windmills, let us know. So far no one has done so. --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
