Re: [Fed-Talk] FIPS SSL
Re: [Fed-Talk] FIPS SSL
- Subject: Re: [Fed-Talk] FIPS SSL
- From: Allan Marcus <email@hidden>
- Date: Mon, 2 Nov 2009 07:58:38 -0700
Shawn,
Thanks so much for your comments. It's so good to hear from Apple on
this topic.
With regards to SDC and FDCC, what is the process? Will there be a
opportunity for public comment, or will new rules just be handed down?
I've tried to get in touch with people at NISt and NSA, but I've had
no luck. My Apple reps basically punt to you, so if you could either
shed some light on this process, or point me to someone I can talk, I
would greatly appreciate it.
With regards to OpenSSL and the use of Macs in federal government, I
should qualify that statement I made. Given the NIST 800-88
requirement that FIPS 140-2 be used "for information requiring
cryptographic protection," and given the we need to encrypt anything
sensitive (or at least we do in the DOE, I just assume the other
agencies need to as well), and given that so much relies on OpenSSL
(ssh, Apache, Apple Report Desktop, AFP -- I think, scp, sftp), it
would be hard to avoid using any of those technologies and have the
Mac be useful.
Let's take a look at the competition:
Microsoft Window 7/Vista: ships with FIPS certified services
Red Hat Enterprise Linux: Ships with the FIPS module of OpenSSL pre-
compiled and easily installed as an RPM.
I can understand that Apple is working on getting it Crypto module
certified (although why it's taking so long is a true mystery). What I
don't understand is why Apple does make the FIPS option for OpenSSL a
support and easily installable option.
---
Thanks,
Allan Marcus
505-667-5666
On Oct 30, 2009, at 9:52 PM, Shawn A. Geddis wrote:
On Oct 30, 2009, at 1:08 PM, Allan Marcus wrote:
Ahh, I read Shawn's note more closely and I think he's essentially
saying that since Apache doesn't use Apple's crypto engine, it's
not FIPS out of the box.
This is a can of worms I'm hoping not to open where I work, but Mac
OS X default encryption (anything that uses ssl/ssh) isn't FIPS
certified :-( Probably one of the reason's we aren't seeing and
fdcc for Mac; pull the sting far enough and one pretty much can't
use at Mac for the federal government.
I would love to hear if anyone has resolved this issue.
---
Thanks,
Allan Marcus
Allan,
Yes, after your second read you were closer to the actual statements
I made in the message. :-)
I was indeed stating that Apache in Mac OS X is not using a version
of OpenSSL that is utilizing a FIPS validated crypto module, but
that if Mark wanted to attempt to achieve compliance and use the
same Apache, he could try to wedge a FIPS validated version of
OpenSSL.
I do, however, feel the need to challenge your comments above.....
This is a can of worms I'm hoping not to open where I work, but Mac
OS X default encryption (anything that uses ssl/ssh) isn't FIPS
certified :-(
Your reference to default and then to SSL/SSH seems it could
possibly confuse some on this list, so I'd like to break it out and
clarify....
Mac OS X's built-in Cryptographic Service Provider (CSP) Software
Module is currently in process for FIPS 140-2 Level 1 Conformance
Validation.
OpenSSL on Mac OS X 10.5/10.6 is not compiled using their FIPS
validated crypto module
OpenSSH uses the installed OpenSSL on the platform (see above)
Apache on Mac OS X uses OpenSSL (see above)
Probably one of the reason's we aren't seeing and fdcc for Mac;
I'm not sure how you can make such a jump here. The above situation
regarding Apache/OpenSSL/OpenSSH has no impact in when or how you
will see an FDCC for Mac. In fact you, the SDC will be first,
followed by the FDCC. The work one this has wound down, but it must
still travel through the formal sign-off process.
pull the sting far enough and one pretty much can't use at Mac for
the federal government.
This is just a false statement.....
- Shawn
_____________________________________________________
Shawn Geddis - Security Consulting Engineer - Apple Enterprise
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden