Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fed-Talk] Re: Fed-talk Digest, Vol 6, Issue 297

I just wanted to second what Shawn said here.  The final draft of the DoD Secure Baseline Configuration
(SDC) settings for Mac OS X 10.5 Leopard is done. It is now going through the approval process.  It has to be 
signed by the DOD CIO before it officially becomes the SDC settings for the DoD.

From there, the recommendations will be submitted to OMB as part of DoD compliance to the FDCC mandates.
The FDCC recommendations for OS X 10.5 will have to be developed from there.  It is likely they will be 
based from the SDC settings, but they may be changed from those settings.  Another working group will be in
charge of developing the FDCC baseline.

When you start talking about the "FDCC" taking so long to be developed.... compared to what?  The only other
FDCCs available are all for Windows, and that process was established quite a while ago.  They are building
on what was already done.  As far as how long it took to develop the first FDCC for Windows - it didn't.  They 
came up with a minimal list of recommended settings because someone thought that would be useful, and
then OMB came out with the FDCC mandate based on those settings.  

And having it set up now where the SDC settings are mandated for the DoD, and then FDCC settings will be
developed for all of the federal government, is a new process altogether.  Everyone is feeling their way through
this.

There are no hidden reasons the SDC is not out yet, and no one will see an FDCC for OS X until a DoD SDC 
has first been approved (at least, that's my understanding of the process so far).

And in the meantime, neither NIST nor OMB precludes use or purchase of systems that do not have an FDCC
in place.  See the FDCC FAQ on the NIST web page.

http://nvd.nist.gov/fdcc/fdcc_faq.cfm#What%20operating%20systems%20have%20FDCC%20settings

I hope this clears up some things for people.

Kim Hersh

Kimberly Cummings Hersh
Apple Team Lead
NSA Systems and Network Analysis Center (SNAC)
410-854-5192

On Oct 31, 2009, at 3:06 PM, email@hidden wrote:



Message: 3
Date: Fri, 30 Oct 2009 20:52:24 -0700
From: "Shawn A. Geddis" <email@hidden>
Subject: Re: [Fed-Talk] FIPS SSL
To: Allan Marcus <email@hidden>
Cc: Apple Fed Talk <email@hidden>
Message-ID: <email@hidden>
Content-Type: text/plain; charset="us-ascii"

On Oct 30, 2009, at 1:08 PM, Allan Marcus wrote:
Ahh, I read Shawn's note more closely and I think he's essentially saying that since Apache doesn't use Apple's crypto engine, it's not FIPS out of the box.

This is a can of worms I'm hoping not to open where I work, but Mac OS X default encryption (anything that uses ssl/ssh) isn't FIPS certified :-( Probably one of the reason's we aren't seeing and fdcc for Mac; pull the sting far enough and one pretty much can't use at Mac for the federal government.

I would love to hear if anyone has resolved this issue.

---
Thanks,

Allan Marcus

Allan,

Yes, after your second read you were closer to the actual statements I made in the message.  :-)

I was indeed stating that Apache in Mac OS X is not using a version of OpenSSL that is utilizing a FIPS validated crypto module, but that if Mark wanted to attempt to achieve compliance and use the same Apache, he could try to wedge a FIPS validated version of OpenSSL.

I do, however, feel the need to challenge your comments above.....

This is a can of worms I'm hoping not to open where I work, but Mac OS X default encryption (anything that uses ssl/ssh) isn't FIPS certified :-(

Your reference to default and then to SSL/SSH seems it could possibly confuse some on this list, so I'd like to break it out and clarify....

Mac OS X's built-in Cryptographic Service Provider (CSP) Software Module is currently in process for FIPS 140-2 Level 1 Conformance Validation.

OpenSSL on Mac OS X 10.5/10.6 is not compiled using their FIPS validated crypto module

OpenSSH uses the installed OpenSSL on the platform (see above)

Apache on Mac OS X uses OpenSSL (see above)

Probably one of the reason's we aren't seeing and fdcc for Mac;

I'm not sure how you can make such a jump here.  The above situation regarding Apache/OpenSSL/OpenSSH has no impact in when or how you will see an FDCC for Mac.  In fact you, the SDC will be first, followed by the FDCC.  The work one this has wound down, but it must still travel through the formal sign-off process.

pull the sting far enough and one pretty much can't use at Mac for the federal government.


This is just a false statement.....


- Shawn
_____________________________________________________
Shawn Geddis  -  Security Consulting Engineer  -  Apple Enterprise
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.apple.com/mailman/private/fed-talk/attachments/20091030/b9202dd2/attachment-0001.html

------------------------------

_______________________________________________
Fed-talk mailing list
email@hidden
http://lists.apple.com/mailman/listinfo/fed-talk

End of Fed-talk Digest, Vol 6, Issue 297
****************************************

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/fed-talk/email@hidden

This email sent to email@hidden


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.