Ben Lindstrom wrote: > Where are theses 'DIPS 140-2' requirements? If they are anything like the > other military requirements they are impratical and insane (yes I've had > some time in the area. Not my idea of fun =).
This: <http://csrc.nist.gov/cryptval/> is the URL at NIST, I'm just getting started at digging into this, and so any answers I might give you today are probably not the answers you want. I don't get the sense that the requirements are insane, but yeah, it's certainly possible some of them will oppose the OpenBSD/SSH/SSL philosphies. For the most part, it seems that FIPS 140 is (one of) the lowest standards for "sensitive but unclassified" information. And pretty soon, if not already, most crypto software used in DoD related projects will need to certified. > We have a regess/ section in the current tree. > > What is the issue with prng? You really should be using kernel level > devices. prngd and built-in prng should be a last resort. Besides, I > bet our prng could easily get certified by NIST. It is a more sane > implementation than some of the NIST certified stuff at my work.=) I was trying to give you guys a broad overview of what I've gathered so far, so please don't take anything as a criticism. I spoke with an engineer at one of the labs could do the testing, and that's where that list of issues came from -- a very brief conversation about whether or not I was crazy to try this. The self-test requirement is (I think) on module loading, a sort of software POST. The prng issue is (once again, I think) that your prng isn't certified. (=My= issue with prngs is IRIX, and believe me I know that it's my problem =). There is not a list of what the specific problems and issues are yet, and much depends on exactly how the "sytem" to be certified is defined: what exactly is the relationship between OpenSSH and OpenSSL during the testing process? What platform is the testing done on? What codebase snapshot is used? What is the configuration to be certified? Thanks, --Nathan ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
