I’m the project lead for getting Mozilla approved for use throughout the U.S. Air Force. That effort is about to come to a screeching halt due to the lack of a current Federal Information Processing Standard (FIPS) 140-2 (http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf) certification for the SSL/TLS software modules in NSS v3.x.
Federal statute (Public Laws 104-106 and 100-235) prohibits government use of encryption software that’s not certified under the Cryptographic Module Validation Program (CMVP) to process and transfer sensitive (but still unclassified) information. See http://csrc.nist.gov/cryptval/ and http://csrc.nist.gov/cryptval/140-1/1401val.htm. It’s my understanding that the most recent CMVP certificates were #247 and #248 for NSS v3.2.2, then obtained and maintained by Sun Microsystems. Substantive changes to NSS code since 9/4/2002 have not been run through the certification process. Bottom line: The U.S. Air Force cannot now legally use Mozilla despite their compelling need for a cross-platform replacement for Navigator 4.7 and a more secure, standards-compliant alternative to IE.
Are there any plans within MF or the NSS development team to seek FIPS 140-2 certification for current NSS modules to allow and promote federal government use of Mozilla? This is basically a paperwork documentation exercise which can be done in-house (the OpenSSL project is pursuing FIPS 140-2 Level 1 certification on their own), or outsourced to a NIST-approved participant in the National Voluntary Laboratory Accreditation Program (NVLAP). One of the NVLAP vendors in the U.S. with links on NIST’s web site quotes about $20K to do the job (see http://www.bkpsecurity.com/pricing.html).
--Doc
Robert G. (Doc) Savage, CISSP, RHCE, GCIA
AFCA/ITCR, ETAS Support Contractor
DigitalNet Government Solutions, LLC
Voice: (618) 229-6381 DSN: 779-6381
Fax: (618) 229-5339
E-mail: [EMAIL PROTECTED]
