Steve Marquess wrote:
Thomas J. Hruska wrote:
According to the FIPS 1.2 Security Policy, Appendix A, Platform 8
cannot be built as FIPS compliant because 'x84-64 asm' is a
non-existent platform. There is no such thing as x84. It should say
'x86-64 asm'. Validation, from what I understand, only covers those
platforms listed. Strictly-speaking, x86-64 asm is not able to be
built as FIPS-compliant since it is not included in the list (despite
supposedly being a tested platform).
"2. Verify that the SHA1 HMAC digest of the distribution file (see
Appendix B)."
What exactly am I verifying? Either finish the sentence or remove the
word 'that'. Since this sentence is grammatically incorrect which
leads the reader to believe there is more to the step than mentioned,
this step is thus incomplete. Following a path of strict logic,
Appendix A, step 2's incomplete sentence makes it impossible to
perform a FIPS validated build for any platform.
Feedback on errors in the Security Policy is greatly appreciated, but
please note I can't make any corrections to the officially approved
version, it is frozen just like the source code. I will have an errata
page for the Security Policy in the User Guide which is coming out Real
Soon Now.
The most critical step of FIPS validated builds in the past was to
apply OS-level security measures to fipscanister (e.g. make specific
files read-only to everyone but root/admin.). Is this done
automatically now? Or what section of the Security Policy did I skim
too quickly over that covers this? If it isn't covered in the
Security Policy but needs to be done, does that invalidate the FIPS
validation?
Please take a look at some other Security Policy documents. You will
note that they have a very stylized format, using "FIPS-speak" where
terms can have different meanings than in a software engineering
context. Think patent application instead of RFC.
I didn't fully appreciate that fact for the first validation and drafted
the initial Security Policy for a technical audience. During the
validation processes I was told, again and again, that I was confusing
the issues with facts and so progressively removed said extraneous
technical detail until we wound up with this most recent Security Policy
in the conventional style of other validations. The removed material
makes up the User Guide.
The righteous answer to your question is that the governing documents
("scripture") for FIPS 140-2 are the FIPS 140-2 standard itself
(http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf) and the
Implementation Guidance document
(http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf).
A more pragmatic answer is to note that strictly speaking almost no
validated software module for general purpose computers is usable in the
real world. Note for instance the standard Security Policy requirement
for "single user mode".
I realize these are nitpicks. However, before I go through the
massive undertaking of putting together a FIPS build for Windows, I
need to know that these are non-issues. The last time I tried to do a
FIPS build, it wasted two weeks of time better spent doing other things.
I've wasted five years, welcome to the club :-)
-Steve M.
Thank you for the detailed explanations. I look forward to seeing the
User Guide.
--
Thomas Hruska
Shining Light Productions
Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
