Re: [openssl-users] FIPS 140-2 on iOS
This is an excellent explanation in plain English. Thank you! On Apr 28, 2015, at 4:31 PM, Steve Marquess marqu...@openssl.com wrote: On 04/28/2015 03:44 PM, Sec_Aficionado wrote: Hi there, Total n00b question here. I recently ran across a question on an iOS forum where someone was building an app with FIPS 140-2 compliant communications. Note there really is no such thing as FIPS 140-2 compliant (though you see that terms bandied around a lot and I'm guilty of doing so myself). The term of interest is FISP 140-2 validated (n.b.: that's validated not certified). Now, from reading here (mailing lists) about FIPS certification, it involves both the bits and the platform. So it would not be possible to create an app that is compliant on a platform that hasn't been certified. Is that a correct assumption? Or can I build a compliant app with just certified libraries? A Level 1 FIPS 140-2 validation (Level 1 being the most common and the easiest) applies to a thing called a cryptographic module in the context of one of more OEs or Operational Environments (loosely speaking, platforms). Note at Level 1 products are not validated, operating systems are not validated, only cryptographic modules are validated. Translated from FIPSspeak, for a software module that means a very specific chunk of executable code running on a specific platform (operating system and OS version and processor architecture). Move that same code to another platform and it is no longer validated; the validation is relative to the OEs or platforms. The only valid reason to use a FIPS 140-2 validated module is that you must in order to sell your cryptography-using product to the USG or DoD. For that market you (typically, if the procurement officer is paying attention) have to use a validated cryptographic module on one of the OEs specifically listed for that module validation. So for a software product there is no such thing as validation of the product independent of the platform (OE) it runs on. A partial exception to that rule is user affirmation per I.G. G.5, but while technically a legitimate means of satisfying FISP 140-2 validation requirements that has limited practical value in the USG/DoD market. Note I'm only discussing Level 1 validations here; Levels 2 and up are different. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS 140-2 on iOS
Hi, I believe you can make an app that is FIPS compliant: since OpenSSL can be made FIPS compliant on a non-validated OS, why not an app on iOS? But it will be FIPS compliant, not FIPS validated app. Le mar. 28 avr. 2015 21:45, Sec_Aficionado secaficion...@gmail.com a écrit : Hi there, Total n00b question here. I recently ran across a question on an iOS forum where someone was building an app with FIPS 140-2 compliant communications. Now, from reading here (mailing lists) about FIPS certification, it involves both the bits and the platform. So it would not be possible to create an app that is compliant on a platform that hasn't been certified. Is that a correct assumption? Or can I build a compliant app with just certified libraries? Thanks! Sent from my mobile I may have missed some autocorrections ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS 140-2 on iOS
On 04/28/2015 03:44 PM, Sec_Aficionado wrote: Hi there, Total n00b question here. I recently ran across a question on an iOS forum where someone was building an app with FIPS 140-2 compliant communications. Note there really is no such thing as FIPS 140-2 compliant (though you see that terms bandied around a lot and I'm guilty of doing so myself). The term of interest is FISP 140-2 validated (n.b.: that's validated not certified). Now, from reading here (mailing lists) about FIPS certification, it involves both the bits and the platform. So it would not be possible to create an app that is compliant on a platform that hasn't been certified. Is that a correct assumption? Or can I build a compliant app with just certified libraries? A Level 1 FIPS 140-2 validation (Level 1 being the most common and the easiest) applies to a thing called a cryptographic module in the context of one of more OEs or Operational Environments (loosely speaking, platforms). Note at Level 1 products are not validated, operating systems are not validated, only cryptographic modules are validated. Translated from FIPSspeak, for a software module that means a very specific chunk of executable code running on a specific platform (operating system and OS version and processor architecture). Move that same code to another platform and it is no longer validated; the validation is relative to the OEs or platforms. The only valid reason to use a FIPS 140-2 validated module is that you must in order to sell your cryptography-using product to the USG or DoD. For that market you (typically, if the procurement officer is paying attention) have to use a validated cryptographic module on one of the OEs specifically listed for that module validation. So for a software product there is no such thing as validation of the product independent of the platform (OE) it runs on. A partial exception to that rule is user affirmation per I.G. G.5, but while technically a legitimate means of satisfying FISP 140-2 validation requirements that has limited practical value in the USG/DoD market. Note I'm only discussing Level 1 validations here; Levels 2 and up are different. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS 140-2 on iOS
Hi there, Total n00b question here. I recently ran across a question on an iOS forum where someone was building an app with FIPS 140-2 compliant communications. Now, from reading here (mailing lists) about FIPS certification, it involves both the bits and the platform. So it would not be possible to create an app that is compliant on a platform that hasn't been certified. Is that a correct assumption? Or can I build a compliant app with just certified libraries? Thanks! Sent from my mobile I may have missed some autocorrections ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
