On 10/29/08 07:05, Dean wrote:
Hi folks,
I was hoping somebody could confirm or correct my understanding of
which version of NSS is FIPS certified.
As I unserstand from
https://wiki.mozilla.org/FIPS_Validation
Softokn version 3.11.4 is the most recent FIPS certified version.
And this is a component of NSS 3.11.4 and 3.11.5 This same document
mentions a Target version of Softoken of 3.12.x ... but I have to say,
I'm not sure what they are getting at.
We will be starting our next FIPS 140 validation soon, and it will be on a
softokn 3.12.x release. (the patch release is still to be determined.)
On the Mozilla site I've only been able to find binaries for NSS
3.11.4. However, from posts in this forum and reading the document
http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf
section G.4 it seems that I am able to recompile the unchanged source
myself and be able to call the resulting binaries FIPS certified.
Are my assumptions correct?
yes. provided you checkout with the RTM tag, make no changes, and build.
Any changes after NSS_3_11_5_RTM did not get get FIPS certified
certified by a lab.
http://www.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-build.html
Also, is 3.11.5 really the lastest FIPS certified version of NSS or
can I use later versions in the 3.11.x chain? How can I tell which
versions of NSS are using the correct version of Softoken.... and is
that correct version of Softoken 3.11.4 or 3.12.2?
Softoken/freebl have version numbers. There are many ways to check
version numbers
on various platforms, here are two ways:
On windows check right click on the library and check the version.
On unix/solaris: strings libsoftokn3.so | grep Header
Also, just to be correct, when I'm talking about the NSS libraries do
I need to call the NSS FIPS complaint libraries, and the Softoken
libraries FIPS certified libraries?
correct. Understand that NSS need needs to be put in FIPS compliant mode
please review the security policy.
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf
-glen
Thanks
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto