> From: "Steve Marquess" <marqu...@openssl.com>
> Date: 04/14/15 09:31
> and note that of the 101 platforms ("OEs") appearing there, most of
> those operating systems are neither CC certified nor have any other FIPS
> 140-2 validated crypto. Keep in mind that at Level 1 the validation
> applies to the cryptographic module, not the calling application that
> uses that module nor the operating system that runs it.
I came across a Red Hat Security Policy document that clearly puts the XFRM out
of the Security Policy domain. See section 1.1.2, page 8, in:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1386.pdf
This blurs the concept of FIPS validation. Looks more and more that the
validation will only care about what is being declared as going for validation.
In this case (policy might have changed since 2010) they simply say that no,
we do not declare the crypto done via XFRM as part of the Security Policy. And
the FIPS lab says, OK, fine. Hmmm....
Regards.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
