RE: Prevent concurrent operator in FIPS mode

Wed, 19 Aug 2009 11:15:31 -0700 


-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Kyle Hamilton
Sent: Wednesday, August 19, 2009 10:42 AM
To: openssl-users@openssl.org
Subject: Re: Prevent concurrent operator in FIPS mode

The API does not prevent concurrent operators.  The guidance from the
CMVP is that an application (even if operated by a webserver on behalf
of someone else) is an operator for purposes of determining compliance
with that restriction.

Of course, the CMVP seems to want to reduce the functionality of
systems that use validated crypto to zero, as well, so I dunno where
the balance lies.  Neither does Steve M, and he's pretty much
openssl's most visible diplomat to the Priesthood of the CMVP.

[<cm>] My Public Sector Customers seem happy with the functionality, though not 
without a shock:  many of their certificates were signed with MD5 (and MD2) and 
our application now happily rejects them (and their CA was self-signed with 
MD5, so ditto their CA).  Guess what?  NIST and FIPS are doing away with 2-key 
TDES *and* ... SHA-1 by the end of 2010.  Just when the PKI vendors abandoned 
MD5 for SHA1, SHA1 is going away.
I was able to use SHA256 in signing certificates (Signature Algorithm: 
sha256WithRSAEncryption), but I think this will be a headache by this time next 
year if the 'powers that be' don't extend SHA1 further.  RSA is 'on the clock', 
too.


-Kyle H

On Wed, Aug 19, 2009 at 9:27 AM, Pandit Panburana<ppanb...@yahoo.com> wrote:
> Hello,
>     The security policy of states that the module does not allow concurrent
> operators. How does API prevent concurrent operator?
> Thank you,
> -Pandit
> ________________________________
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
:��I"Ϯ��r�m����
(����Z+�K�+����1���x��h����[�z�(����Z+���f�y�������f���h��)z{,���

Reply via email to