Edgecombe, Jason wrote: > I remember reading in Linux journal that openssl had been certified. > > http://www.linuxjournal.com/node/7644/print > > I vaguely remember something else about getting source code certified > instead of compiled code, but I can't find it.
There as a discusion on 8/10 on the openssl mailing "Windows build of FIPS 1.1.1 is not thread-safe" which lead to some interesting discussions about compilers, and what could and could not be done to use software. http://csrc.nist.gov/cryptval/140-1/140sp/140sp642.pdf a (2MB PDF)is the OpenSSL document for NIST. http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf is the implementation guide, see section G5 for what a vendor and/or a user can do with source code. http://csrc.nist.gov/cryptval/140-1/140crt/140crt642.pdf is the OpenSSL certificate. > > Jason > > Jason Edgecombe > Solaris & Linux Administrator > Mosaic Computing Group, College of Engineering > UNC-Charlotte > Phone: (704) 687-3514 > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Marcus Watts > Sent: Saturday, September 01, 2007 7:47 AM > To: [email protected] > Subject: Re: Kerberos 5 certified under NIST 140-2. > > Various wrote: >>> I work at the U.S. Census Bureau and would like to use Kerberos 5 as > our >>> network authentication protocol. The only problem is that for us to > meet >>> our Certification and Accreditation and use Kerberos 5, it must be >>> certified under NIST 140-2. Do you have plans to have version 5 > certified? >>> My understanding is that version 4 was. > ... >> When I looked into this for Kerberos, doing the certification cost >> around $25,000-$35,000 and took a couple of years. And having seen > ... > > As I read FIPS 140-2, it addresses hardware much more than software, and > very much addresses "complete systems" or sometimes "components" and > really > does not address frameworks or pluggable environments much at all. > > OpenSource software loses here on several points: > 1. it's not a "finished" system. Somebody might come along at any > point and change it, invalidating any test results done until > that point. > 2. the development process for "open source" does not generally conform > to FIPS 140-2 appendix A and B. > > Appendix A describes the documentation that is necessary. > There's a lot of it, and it is very specific to the testing > required for FIPS 140-2. $25K to hire somebody to produce > this would be a real bargain for something as complicated as > kerberos 5. > > Appendix B describes the "recommended software development > practice". These practices are probably a bit out of date, and > certainly do not describe modern conventions for C. The testing > & > documentation is certainly considerably more rigorous than many > open source projects. Note that the better organized projects > at least approach the software methodology suggested here, with > interesting differences: for instance the design stage may > happen > in part via online chat, unit testing may be on the honor > system, > functional specifications may be terse, & structure charts are > nearly extinct except in the personnel department. > > In fact, I think kerberos 5 probably conforms to about half of > these practices. For instance, the "life-cycle software engineering > recommendations" including the phrase "may". I suspect the kerberos > developers actually follow most of those practices, but may be resistant > to documenting that they did so. The coding standards contain many > "shoulds" for things that MIT kerberos actually follows far less rigidly > MIT kerberos certainly uses gotos (...using only structured programming > constructs...), unions ("equivalence of variables should not be > used...", > global variables ("should not be used..."), and more than 2 exit points > for many routines ("...at most two exit points"). In-line documentation > is certainly *far* sparser than the appendix B authors suggest. > > Rather than looking to the open source community to produce this, I > think your best bet is to look at one of the vendors to do this. > Say, Apple, Solaris, etc. They distribute the complete system, > not just the software, so they have a better claim on "complete system", > plus both the money stream, and the incentive, to pay for the > certification. Apparently at least one of the Solaris people > is already pursuing FIPS 140-2 for some of the lower-level crypto > stuff (not kerberos yet). > > -Marcus Watts > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
