-----Original Message----- From: Rob C <[email protected]> Reply: OpenStack Development Mailing List (not for usage questions) <[email protected]> Date: November 7, 2016 at 07:39:57 To: OpenStack Development Mailing List (not for usage questions) <[email protected]> Subject: Re: [openstack-dev] [requirements][kolla][security] pycrypto vs cryptography
> Good question, I know issues around this have arisen before. > > I think the main points have been covered well already, for my part I will > always lean toward the better supported or actively developed project. At this point PyCrypto actively tells users that it's not supported or developed. They've been pushing people towards Cryptogrpahy. > I understand the desire to look for FIPS 140-2 compliance, however I'd > caution about this being the only deciding factor, it makes software > development messy as only specific implementations can be validated. If you > want to update code to make improvements etc you can need a whole > re-validation. I'm not saying that FIPS 140-2 doesn't have value but I know > of software projects that have used known-bad implementations that had > certification rather use an updated version with no issues - (like I said, > it gets messy). > > The OpenSSL guys wrote a good article on FIPS validation, how they tackled > it and some of the impact etc [1] > > -Rob > > [1] https://www.openssl.org/docs/fipsnotes.html I would strongly suggest you read Rob's link. It's very enlightening to know why, while FIPS may be a requirement, it's not necessarily beneficial from a security standpoint. It's also ridiculously expensive and restrictive. I've CC'd one of the lead developers from the Cryptography project to comment on this. I would hazard a guess that one could compile Cryptography against a version of OpenSSL that is FIPS compliant, but I doubt it'll be considered supported. I know Cryptography recently dropped support for a few older versions of OpenSSL, and to work with that you'd have to stick to an older version of Cryptography. Can I ask why FIPS compliance is a requirement for Kolla? This seems like an odd request for a deployment project. > On Sun, Nov 6, 2016 at 4:44 PM, Jeremy Stanley wrote: > > > On 2016-11-06 14:59:03 +0000 (+0000), Jeremy Stanley wrote: > > > On 2016-11-06 08:05:51 +0000 (+0000), Steven Dake (stdake) wrote: > > [...] > > > > An orthogonal question I have received from one of our community > > > > members (Pavo on irc) is whether pycrypto (or if we move to > > > > cryptography) provide FIPS-140-2 compliance. > > > > > > My understanding is that if you need, for example, a FIPS-compliant > > > AES implementation under the hood, then this is dependent more on > > > what backend libraries you're using... e.g., > > > https://www.openssl.org/docs/fips.html > > > https://www.openssl.org/docs/fipsvalidation.html -- Ian Cordasco __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
