On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack <[email protected]> wrote: > Hello: > > I am a bit confused! I am reading the FIPS user guide and the > following document: > > http://www.openssl.org/docs/fips/fipsnotes.html > > I quote > > "If even the tiniest source code or build process changes are required > for your intended application, you cannot use the open source based > validated module directly. You must obtain your own validation. This > situation is common; see "Private Label" validation, below. " > > Also, the openssl distribution has to match the right PGP keys. > > So to those who are more of Openssl/FIPS experts than I, I have some > basic questions: > > 1) I assume if it impossible to make a FIPS capable openssl > distribution straight out of the FreeBSD source tree without "Private > Validation" as defined in the document above? (i.e. you can certainly > build it this way but you are violating the guidelines for FIPS > Compliance or do the maintainers out of src/crypto/openssl ENSURE that > the distro in that tree is equivalent to the openssl distro, even for > PGP key checks?) > > 2) Can you make a FIPS capable openssl port? > > i.e. use the stock distro, write some script to validate keys, create > a separate FIPS port or part of hte openssl port, etc. case in point, > RHEL I believe has a FIPS compliant RPM which does this in its spec > file.
I guess to put things more simply: Is the distribution integrated within the FreeBSD source tree been validated against its PGP keys so it can be built FIPS capable? I really appreciate an official answer from one of the security officers. Thanks! -aps _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
