Anthony Scarpino wrote: > Sort of on this topic, can providers like ncp and n2cp be made FIPS > certified some day.. Does a hardware provider require a keystore on > board (like a SCA-6000) to be FIPS?
I don't see any reason why not. They should at least be able to get a FIPS algorithm certification. > If so, there are some interesting scenarios one can have with ncp and > the recently integrated hardware keygen project.. Where "interesting" depends on where you draw the crypto boundary! For things like ncp and n2cp that have no keystore of their own, personally I'd class them the same as the kernel software providers (ie "inside" the crypto framework). In some ways they are just platform specific "softishware" providers (ncp is pretty much this because the hardware doesn't do RSA it does modexp, n2cp is different though). The other thing to consider for the future is when we get around to adding support in the framework for building complex/newer/combi mechanism out of older/simpler ones (eg AES_CCM in "software" using what ever of ECB/CBC the hardware has, RSA_SHA1_PKCS by combining in software the hardware RSA and software SHA1) the boundary will need to be different as well. -- Darren J Moffat
