There are many gray areas in using FIPS 140 validated browser and server products.
For Level 1, the underlying operating system must be a single-user OS. In our most recent validation, we satisfied this requirement on Unix by configuring it with only the root user. While it is common practice to run as Administrator on Windows, it is unthinkable to run your web browser or servers as root on Unix.
For Level 2, the underlying OS must be the exact version of OS that was certified for Common Criteria EAL4, running on the exact same hardware models the OS was certifed on. This means you can't apply the latest Solaris 8 patches or Windows 2000 service packs, and you need to use the exact Sun hardware models or PC models that Solaris 8 and Windows 2000 were certified on.
Doing the above (running as root on Unix, not applying OS patches) has its own security problems and may not even be possible.
In any case, the NSS team is still interested in revalidating NSS for conformance to FIPS 140-2. We are targeting the upcoming NSS 3.10 release. The revalidation hasn't started yet.
I am also asking any government agencies interested in funding this effort to please contact the Mozilla Foundation or me. Your funding will help start the revalidation sooner.
Wan-Teh
smime.p7s
Description: S/MIME Cryptographic Signature
