On Wed, 13 May 2009, Ferenc Rakoczi wrote: > I have a general comment: bring the Administration section forward (after the > Overview) as it belongs to the "big picture" part and explains some of the > questions I had when I first read the document from top to bottom.
Hi Ferenc - As Hai-May noted, we probably won't be sending this out for another review, but if we do, we will consider the reorganization. (we should send out a final draft with the changes/corrections as brought up in this review, though). > > I also have a few other comments inline below. I've trimmed your text for my reply, as I believe Hai-May and Tony have responded to your other questions. >> >> Integrity Check >> =============== >> >> As required by Section 4.6 of the FIPS-140-2 standard, an integrity check >> must be implemented to prevent unauthorized modification of the modules >> in the boundary. It is required that whatever does the integrity check >> is also part of the boundary and also validates itself. >> >> The integrity check will rely on the existing elfsign signature >> facilities. This will require modifying elfsign to again statically >> link against pkcs11_softtoken, modify elfsign's use of libkmf to >> force validation to use PKCS11 (vs OpenSSL it uses now), and making >> sure all modules in the boundary are signed with an official Sun >> certificate. >> >> We cannot rely on the "OU=Solaris Signed Execution" certificate >> signing process remaining around, as the Validated Execution >> team may soon be turning that off. >> >> In order to insure our binaries are correctly signed and that >> we can test them with bfu, will will sign everything in the >> boundary with the "OU=Solaris Cryptographic Framework". This >> signature will only be verified while in FIPS mode, and all >> other validation processes will remain unchanged. Currently, >> there is a catch-all in kcf that validates anything with the >> crypto certificate, regardless of what services it provides, >> that we will remove. >> >> To prepare for the new Government regulations coming in 2010, >> we will upgrade the cryptographic signing certificate to RSA >> 2048-bit key using SHA-256. >> >> These signatures do mean we will need to include all of the >> modules in the binary into the closed-bins tarball for OpenSolaris >> > do you mean "all of the binaries of these modules" by " all of the > > modules in the binary"? What I actually meant when I typed that was: "all of the modules in the boundary". I have corrected this in the design. Thank you for your comments! Valerie -- Valerie Fenwick, http://blogs.sun.com/bubbva Solaris Security Technologies, Developer, Sun Microsystems, Inc. 17 Network Circle, Menlo Park, CA, 94025.
