Huie-Ying Lee wrote:
> On 06/16/09 02:30, Darren J Moffat wrote:
>> Scott Rotondo wrote:
>>>>>
>>>>> 4.3 Interfaces:
>>>>>
>>>>> The following new options are added to cryptoadm(1M) sub-commands
>>>>> cryptoadm list fips-140
>>>>> cryptoadm enable fips-140
>>>>> cryptoadm disable fips-140
>>>
>>> Very minor issue: People often refer informally to "FIPS mode"
>>> rather than the more cumbersome FIPS 140 or FIPS 140-2. Unless you
>>> expect other FIPS standards to apply to the crypto framework, maybe
>>> you could save users a little typing:
>>
>> There are other FIPS standards, in particular those that include the
>> definitions of particular algorithms or PRNG systems.
>>
>>> cryptoadm list fips
>>> cryptoadm enable fips
>>> cryptoadm disable fips
>>
>> That is what we had originally and I suggested to the team to change
>> it to fips-140 because there are lots and lots of FIPS standards and
>> this change to cryptoadm only deals with FIPS 140 not 186 or 86 ...
>> So having just "fips" is wrong.
>>
> How about making it more flexible as following:
>
> cryptoadm list fips[=fips_number_list]
> cryptoadm enable fips[=fips_number_list]
> cryptoadm disable fips[=fips_number_list]
>
> The "=fips_number_list" part is optional.
> The current supported FIPS number is 140, which is the default for
> now also.
>
> Therefore, "cryptoadm enable fips" and "cryptoadm enable fips=140"
> refer to the same thing.
>
> Huie-Ying
If you look at how crypto is dealt with, all people care about is "is it
FIPS certified". All the time this means FIPS-140. Nobody (that I've
ever heard of) cares about enabling subsets of this. (FIPS-86 mode
might enable a FIPS-86 compliant RNG, but that should always be enabled
anyway. I'm not sure what FIPS-186 would mean in this context, since
FIPS-186 is just the DSS signing method.)
While I understand that specifying "fips140" might be better (and avoid
potential ambiguity later), I don't think "fips=<standard number>" is
terribly useful.
What I *could* imagine is a way to imagine different levels of fips,
e.g. "fips140=1" for just a level 1 compliance, etc. Although even that
seems a stretch since I can't imagine anyone recertifying the framework
for more than a single level (which would normally be the highest level
that it can reasonably achieve.)
My vote would just be "enable fips140", (which is shorter than
"fips-140", and eliminates possible complexity that would never actually
be used.)
In short, KISS.
- Garrett
>
>
>
>
