Regarding 202, I only have a point regarding 211.1. Have you considered increasing the coverage of Exim (or have a subtopic for), since it's being widely used? This can be seen in this report <http://www.securityspace.com/s_survey/data/man.202309/mxsurvey.html>.
The points raised about DNSsec and OpenVPN are interesting but I leave it to those who have worked more directly with this. Regards, Ricardo Prudenciato On Tue, Oct 24, 2023 at 10:42 AM Bryan Smith via lpi-examdev < [email protected]> wrote: > Last time I checked, Wireguard's crypto is grossly inefficient for US NIST > FIPS compliance, and forces specific ciphers for speed. OpenVPN allows the > administrators to choose ciphers, and this includes being Linux kernel FIPS > mode compatible.** > > In the US, even commercially, US NIST Cybersecurity Maturity Model > Certification (CMMC) v2.0, along with existing US NIST 800-171 (especially > updated revision 2), are hitting hard. And outside of US NIST, many > entities (internationally) also follow US DISA Security Technical > Implementation Guides (STIGs), which also enable FIPS. I can also go into > VISA et al. compliance, like DSS PCI. > > So ... while I'm not saying US NIST FIPS, CMMC 2.0 and other compliance > should eliminate something from consideration ... it should bolster > considerations to not drop something, in favor of something else that is > not compliant. > > - bjs > > **P.S. For those unaware, when you put the Linux kernel in FIPS mode, > which is a boot-time setting (can check run-time here > /proc/sys/crypto/fips_enabled), it's not that libraries are disabled. No, > the kernel itself stomps on any insecure crypto call, even if the library > is enabled. It's the one thing that most people are unaware of when they > first run into it. I even, recently called nVidia out for this for > ignoring it for nearly the past four (4) years with countlessly forum posts > (over 100) and several tickets, when it comes to some of their CUDA > userspace packages. > > RE: > https://www.linkedin.com/feed/update/urn:li:activity:7118774386890866688/ > > > On Tue, Oct 24, 2023 at 9:10 AM Simone Piccardi via lpi-examdev < > [email protected]> wrote: > >> On 23/10/23 19:43, Fabian Thorns via lpi-examdev wrote: >> > - Objective 212.5 now covers VPN in a more generic fashion and >> Wireguard >> > instead of OpenVPN >> > >> >> Why remove OpenVPN? At least in my experience is more common used (as >> supported from more firewall appliance) than Wireguard to connect >> clients to remote networks. >> >> Simone >> -- >> Simone Piccardi Truelite Srl >> [email protected] (email/jabber) Via Monferrato, 6 >> Tel. +39-347-1032433 50142 Firenze >> http://www.truelite.it Tel. +39-055-7879597 >> >> _______________________________________________ >> lpi-examdev mailing list >> [email protected] >> https://list.lpi.org/mailman/listinfo/lpi-examdev > > > > -- > > -- > Bryan J Smith - http://www.linkedin.com/in/bjsmith > E-mail: b.j.smith at ieee.org or me at bjsmith.me > > _______________________________________________ > lpi-examdev mailing list > [email protected] > https://list.lpi.org/mailman/listinfo/lpi-examdev
_______________________________________________ lpi-examdev mailing list [email protected] https://list.lpi.org/mailman/listinfo/lpi-examdev
