>As I read FIPS 140-2, it addresses hardware much more than software, and >very much addresses "complete systems" or sometimes "components" and really >does not address frameworks or pluggable environments much at all. > >OpenSource software loses here on several points: >[...]
I don't want to get into the whole FIPS 140-2 mess ... but while it does mostly deal with hardware products, there is a path for software-only products to be certified. And it IS possible for open-source software to be certified ... look at the certificate and security policy for the FIPS-certified OpenSSL. Mind you, it's an uphill battle and I think it is worthless from a _security_ perspective ... for software I think the only value is so a government bureaucrat can check off a box on a form. > Appendix A describes the documentation that is necessary. > There's a lot of it, and it is very specific to the testing > required for FIPS 140-2. $25K to hire somebody to produce > this would be a real bargain for something as complicated as > kerberos 5. When I said $25K (that was a number of years ago) that was the fee charged by the testing labs that NIST uses. That's just for the FIPS 140-2 test ... generally you (the submitter) have to do all of the documentation yourself, as well as meet all of the bizarre and seemingly arbitrary NIST requirements. > Appendix B describes the "recommended software development > practice". These practices are probably a bit out of date, and > certainly do not describe modern conventions for C. The testing & > documentation is certainly considerably more rigorous than many > open source projects. Note that the better organized projects > at least approach the software methodology suggested here, with > interesting differences: for instance the design stage may happen > in part via online chat, unit testing may be on the honor system, > functional specifications may be terse, & structure charts are > nearly extinct except in the personnel department. I was under the impression that those recommendations are not requirements. >Rather than looking to the open source community to produce this, I >think your best bet is to look at one of the vendors to do this. >Say, Apple, Solaris, etc. They distribute the complete system, >not just the software, so they have a better claim on "complete system", >plus both the money stream, and the incentive, to pay for the >certification. Apparently at least one of the Solaris people >is already pursuing FIPS 140-2 for some of the lower-level crypto >stuff (not kerberos yet). Well, no one has even started the process yet AFAIK, so I think you'll be waiting a long time. The "complete system" is not really a barrier as I understand it. --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
