Re: FIPS compliant version of NSS

Thu, 30 Oct 2008 10:36:40 -0700 

On 10/29/08 07:05, Dean wrote:

Hi folks,

I was hoping somebody could confirm or correct my understanding of
which version of NSS is FIPS certified.

As I unserstand from

https://wiki.mozilla.org/FIPS_Validation

Softokn version 3.11.4 is the most recent FIPS certified  version.
And this is a component of NSS 3.11.4 and 3.11.5  This same document
mentions a Target version of Softoken of 3.12.x ... but I have to say,
I'm not sure what they are getting at.


We will be starting our next FIPS 140 validation soon, and it will  be on a
softokn 3.12.x release.  (the patch release is still to be determined.)

On the Mozilla site I've only been able to find binaries for NSS
3.11.4.  However, from posts in this forum and reading the document
http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf
section G.4 it seems that I am able to recompile the unchanged source
myself and be able to call the resulting binaries FIPS certified.

Are my assumptions correct?
yes. provided you checkout with the RTM tag, make no changes, and build. Any changes after NSS_3_11_5_RTM did not get get FIPS certified certified by a lab. 

http://www.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-build.html



Also, is 3.11.5 really the lastest FIPS certified version of NSS or
can I use later versions in the 3.11.x chain?  How can I tell which
versions of NSS are using the correct version of Softoken.... and is
that correct version of Softoken 3.11.4 or 3.12.2?
Softoken/freebl have version numbers. There are many ways to check version numbers 
on various platforms, here are two ways:
On windows check right click on the library and check the version.
On unix/solaris: strings libsoftokn3.so | grep Header

Also, just to be correct, when I'm talking about the NSS libraries do
I need to call the NSS FIPS complaint libraries, and the Softoken
libraries FIPS certified libraries?

correct. Understand that NSS need needs to be put in FIPS compliant mode
please review the security policy.

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf

-glen



Thanks



_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto


_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to