Krishna Yenduri wrote: > Glenn Brunette wrote: >> >> Given the strong push by U.S. and other governments, financial >> services organizations, etc. (inside and outside of the U.S.) to >> use FIPS approved algorithms, has there been any consideration >> to make FIPS-140 mode enabled by default? > > This is an interesting suggestion. I agree with Tony that > there are performance issues with making it the default. >
Correct - performance degradation because of the additional Power-Up tests including cryptographic algorithm test and software integrity test at boot time. > I believe we can make some requirements of the FIPS 140-2 spec > the default. We already made one requirement the > default. See > 6703956 Solaris cryptographic framework needs a FIPS-186-2 > certifiable RNG > which modified the Solaris RNG to use an algorithm that > can be FIPS certified. I will note that these kind of changes are at the > design level and do not impact this case. > For Solaris RNG case, using FIPS 186-2 would be better as it can be FIPS certified, also testing showed no performance regression. So we made it the default RNG algorithm. Hai-May > Regards, > -Krishna > _______________________________________________ > crypto-discuss mailing list > crypto-discuss at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/crypto-discuss
