[Fed-Talk] Re: Fed-talk Digest, Vol 6, Issue 297
[Fed-Talk] Re: Fed-talk Digest, Vol 6, Issue 297
- Subject: [Fed-Talk] Re: Fed-talk Digest, Vol 6, Issue 297
- From: "Nascimento, Ronaldo M." <email@hidden>
- Date: Mon, 2 Nov 2009 11:41:35 -0500
- Thread-topic: Fed-talk Digest, Vol 6, Issue 297
-------- Forwarded Message --------
From: Shawn A. Geddis <">email@hidden>
To: Allan Marcus <email@hidden>
Cc: Apple Fed Talk <email@hidden>
Subject: Re: [Fed-Talk] FIPS SSL
Date: Fri, 30 Oct 2009 20:52:24 -0700
Allan,
Yes, after your second read you were closer to the actual statements I made in the message. :-)
I was indeed stating that Apache in Mac OS X is not using a version of OpenSSL that is utilizing a FIPS validated crypto module, but that if Mark wanted to attempt to achieve compliance and use the same Apache, he could try to wedge a FIPS validated version of OpenSSL.
I do, however, feel the need to challenge your comments above.....
This is a can of worms I'm hoping not to open where I work, but Mac OS X default encryption (anything that uses ssl/ssh) isn't FIPS certified :-(
Your reference to default and then to SSL/SSH seems it could possibly confuse some on this list, so I'd like to break it out and clarify....
Mac OS X's built-in Cryptographic Service Provider (CSP) Software Module is currently in process for FIPS 140-2 Level 1 Conformance Validation.
OpenSSL on Mac OS X 10.5/10.6 is not compiled using their FIPS validated crypto module
OpenSSH uses the installed OpenSSL on the platform (see above)
Apache on Mac OS X uses OpenSSL (see above)
Probably one of the reason's we aren't seeing and fdcc for Mac;
I'm not sure how you can make such a jump here. The above situation regarding Apache/OpenSSL/OpenSSH has no impact in when or how you will see an FDCC for Mac. In fact you, the SDC will be first, followed by the FDCC. The work one this has wound down, but it must still travel through the formal sign-off process.
pull the sting far enough and one pretty much can't use at Mac for the federal government.
This is just a false statement.....
- Shawn
_____________________________________________________
Shawn Geddis - Security Consulting Engineer - Apple Enterprise
Shawn, you have to understand, as a federal IT employee we can get in to some serious trouble without FDCC / FIPS certification. So with it all "under validation" wont hold any weight when congress is asking questions why you could use the CERTIFIED, APPROVED and AUTHORIZED software such as MS Windows et al. Its just frustrating, while I have a MacPro workstation, I continually worry about the fact there are NO guidelines for us to follow WE NEED Mac FDCC now!
Ronaldo Nascimento
IT Specialist, PVAMC
Facility Information Technology Service (FITS)
Office of Information & Technology (OI&T)
215-823-5259
|
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden