[jira] [Commented] (CASSANDRA-20512) Investigate the usage of FIPS-certified Amazon Corretto Crypto Provider

Mon, 07 Apr 2025 00:44:04 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-20512?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17941484#comment-17941484
 ] 

Stefan Miklosovic commented on CASSANDRA-20512:
-----------------------------------------------

The "problem" with placing FIPS-certified dependency into our tarball is that 
the certification lasts only until 30th September 2029. Correto team is 
planning to perpetually re-submit it every year for certification but in an 
even they don't get it, we would end up with a FIPS dependency in a tarball 
without actually being certified, which is rather unlikely all things 
considered but still a risk.

https://github.com/corretto/amazon-corretto-crypto-provider/issues/452

I would then delegate the task of depending FIPS-certified dependency on people 
who are actually deploying the clusters and can evaluate the risks themselves 
instead of us shipping it directly.

Hence, I will resolve this ticket as "won't fix". 

> Investigate the usage of FIPS-certified Amazon Corretto Crypto Provider
> -----------------------------------------------------------------------
>
>                 Key: CASSANDRA-20512
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-20512
>             Project: Apache Cassandra
>          Issue Type: Task
>          Components: Legacy/Core
>            Reporter: Stefan Miklosovic
>            Priority: Normal
>
> We are using version 2.2.0 which is almost 2 years old. There is 2.5.0 
> already.
> What is very interesting is that from 2.3.0, they are also offering 
> FIPS-certified version of that. (1, 2, 3).
> (1)https://github.com/corretto/amazon-corretto-crypto-provider?tab=readme-ov-file#notes-on-accp-fips
> (2) 
> https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4816
> (3) https://github.com/aws/aws-lc/blob/main/crypto/fipsmodule/FIPS.md
> https://central.sonatype.com/artifact/software.amazon.cryptools/AmazonCorrettoCryptoProvider-FIPS/2.5.0/versions



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to