Various wrote:
> >I work at the U.S. Census Bureau and would like to use Kerberos 5 as our
> >network authentication protocol. The only problem is that for us to meet
> >our Certification and Accreditation and use Kerberos 5, it must be
> >certified under NIST 140-2. Do you have plans to have version 5 certified?
> >My understanding is that version 4 was.
...
> When I looked into this for Kerberos, doing the certification cost
> around $25,000-$35,000 and took a couple of years. And having seen
...
As I read FIPS 140-2, it addresses hardware much more than software, and
very much addresses "complete systems" or sometimes "components" and really
does not address frameworks or pluggable environments much at all.
OpenSource software loses here on several points:
1. it's not a "finished" system. Somebody might come along at any
point and change it, invalidating any test results done until
that point.
2. the development process for "open source" does not generally conform
to FIPS 140-2 appendix A and B.
Appendix A describes the documentation that is necessary.
There's a lot of it, and it is very specific to the testing
required for FIPS 140-2. $25K to hire somebody to produce
this would be a real bargain for something as complicated as
kerberos 5.
Appendix B describes the "recommended software development
practice". These practices are probably a bit out of date, and
certainly do not describe modern conventions for C. The testing &
documentation is certainly considerably more rigorous than many
open source projects. Note that the better organized projects
at least approach the software methodology suggested here, with
interesting differences: for instance the design stage may happen
in part via online chat, unit testing may be on the honor system,
functional specifications may be terse, & structure charts are
nearly extinct except in the personnel department.
In fact, I think kerberos 5 probably conforms to about half of
these practices. For instance, the "life-cycle software engineering
recommendations" including the phrase "may". I suspect the kerberos
developers actually follow most of those practices, but may be resistant
to documenting that they did so. The coding standards contain many
"shoulds" for things that MIT kerberos actually follows far less rigidly
MIT kerberos certainly uses gotos (...using only structured programming
constructs...), unions ("equivalence of variables should not be used...",
global variables ("should not be used..."), and more than 2 exit points
for many routines ("...at most two exit points"). In-line documentation
is certainly *far* sparser than the appendix B authors suggest.
Rather than looking to the open source community to produce this, I
think your best bet is to look at one of the vendors to do this.
Say, Apple, Solaris, etc. They distribute the complete system,
not just the software, so they have a better claim on "complete system",
plus both the money stream, and the incentive, to pay for the
certification. Apparently at least one of the Solaris people
is already pursuing FIPS 140-2 for some of the lower-level crypto
stuff (not kerberos yet).
-Marcus Watts
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
