On 04/14/2015 09:42 AM, jonetsu wrote: > > >> From: "Steve Marquess" <marqu...@openssl.com> Date: 04/14/15 09:31 >> > >> and note that of the 101 platforms ("OEs") appearing there, most >> of those operating systems are neither CC certified nor have any >> other FIPS 140-2 validated crypto. Keep in mind that at Level 1 the >> validation applies to the cryptographic module, not the calling >> application that uses that module nor the operating system that >> runs it. > > I came across a Red Hat Security Policy document that clearly puts > the XFRM out of the Security Policy domain. See section 1.1.2, page > 8, in: > > http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1386.pdf > > This blurs the concept of FIPS validation. Looks more and more that > the validation will only care about what is being declared as going > for validation. In this case (policy might have changed since 2010) > they simply say that no, we do not declare the crypto done via XFRM > as part of the Security Policy. And the FIPS lab says, OK, fine. > Hmmm....
No, it doesn't blur anything. That is a Level 1 validation. At Level 1 only the "cryptographic module" is within scope of the FIPS 140-2 validation. The "cryptographic module" is a concept that is rather precisely defined in that context. You often hear the term "boundary" in reference to cryptographic modules. The operating system, and any crypto it may contain, is out of scope == outside the boundary. The calling application(s), and any other crypto it may contain, is out of scope. Any other applications residing on the same system, and any crypto they may contain, are out of scope. The Level 1 validation covers *only* the specific "cryptographic module". -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users