Garrett D'Amore wrote: > Huie-Ying Lee wrote: >> On 06/16/09 02:30, Darren J Moffat wrote: >>> Scott Rotondo wrote: >>>>>> >>>>>> 4.3 Interfaces: >>>>>> >>>>>> The following new options are added to cryptoadm(1M) sub-commands >>>>>> cryptoadm list fips-140 >>>>>> cryptoadm enable fips-140 >>>>>> cryptoadm disable fips-140 >>>> >>>> Very minor issue: People often refer informally to "FIPS mode" >>>> rather than the more cumbersome FIPS 140 or FIPS 140-2. Unless you >>>> expect other FIPS standards to apply to the crypto framework, maybe >>>> you could save users a little typing: >>> >>> There are other FIPS standards, in particular those that include the >>> definitions of particular algorithms or PRNG systems. >>> >>>> cryptoadm list fips >>>> cryptoadm enable fips >>>> cryptoadm disable fips >>> >>> That is what we had originally and I suggested to the team to change >>> it to fips-140 because there are lots and lots of FIPS standards and >>> this change to cryptoadm only deals with FIPS 140 not 186 or 86 ... >>> So having just "fips" is wrong. >>> >> How about making it more flexible as following: >> >> cryptoadm list fips[=fips_number_list] >> cryptoadm enable fips[=fips_number_list] >> cryptoadm disable fips[=fips_number_list] >> >> The "=fips_number_list" part is optional. >> The current supported FIPS number is 140, which is the default for >> now also. >> >> Therefore, "cryptoadm enable fips" and "cryptoadm enable fips=140" >> refer to the same thing. >> >> Huie-Ying > > If you look at how crypto is dealt with, all people care about is "is it > FIPS certified". All the time this means FIPS-140. Nobody (that I've > ever heard of) cares about enabling subsets of this. (FIPS-86 mode > might enable a FIPS-86 compliant RNG, but that should always be enabled > anyway. I'm not sure what FIPS-186 would mean in this context, since > FIPS-186 is just the DSS signing method.) > > While I understand that specifying "fips140" might be better (and avoid > potential ambiguity later), I don't think "fips=<standard number>" is > terribly useful. > > What I *could* imagine is a way to imagine different levels of fips, > e.g. "fips140=1" for just a level 1 compliance, etc. Although even that > seems a stretch since I can't imagine anyone recertifying the framework > for more than a single level (which would normally be the highest level > that it can reasonably achieve.)
As you can see from my posts you and I agree on this. > My vote would just be "enable fips140", (which is shorter than > "fips-140", and eliminates possible complexity that would never actually > be used.) I don't care one way or the other other if the '-' is in there or not, in fact allowing both is probably a good idea. -- Darren J Moffat
