Hey there; On February 24, 2009 02:07:39 pm smitha daggubati wrote: > Thanks a lot Kyle. That was a very clear explanation. > One final question. Given that non fips mode openssl can talk with fips > validated implementations , Lets say i have a server > which is using openssl in non fips mode which speaks and suports all the > ciphers (including the FIPS ciphers) .Now for a FIPS validated client is > there any way for the client to tell that it is speaking with a non fips > server.? If not the server could claim to be FIPS compliant and trick the > client while in reality it is not FIPS compliant but is just speaking fips > ciphers that the client proposes. Is the above possible then? >
I think you are still completely missing what FIPS is for - FIPS is a specification that tells you which ciphers and protocols certain departments in the US Government consider secure, and a bunch of limitations and requirements as to how those ciphers and protocols are implemented That's it, that's all. It isn't some magic pixie crypto dust that you sprinkle on your application and call it secure. Providing assurance as to the identity of the endpoints of your communication channel is up to you. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
