If an application wants to claim FIPS compliance does it have to be implemented following all the guidelines set out in the FIPS certified applications Security Policy document?
Specifically I suppose I'm trying to confirm that JSS is a FIPS compliant library and, if a Java application can be considered FIPS compliant if all its crypto is via JSS. I know the JSS FAQ does say it is a FIPS complian application when used with the FIPS certified NSS libraries in FIPS mode. However, I was browsing the Security Policy file for NSS and it seems to be saying that a user running in FIPS compliant mode should only call FC_* functions and that, in fact, these functions should be called by function pointers returned by an FC lookup function. Looking at the exports from the jss.dll it seems that FC functions are not being called and functions from nss and nspr are being called directly. Do libraries get special consideration? My knowledge of FIPS is extremely limited so I'm sure I'm misunderstanding something fundimental. Thanks ...Dean... _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
