RE: [Fed-Talk] Re: CMV/CAVP Process Clarification
RE: [Fed-Talk] Re: CMV/CAVP Process Clarification
- Subject: RE: [Fed-Talk] Re: CMV/CAVP Process Clarification
- From: "Prout, Andrew - 1002 - MITLL" <email@hidden>
- Date: Tue, 11 Oct 2011 14:06:51 -0400
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Re: CMV/CAVP Process Clarification
Regarding FIPS 140-2 validation for each product: unless it’s a complete rewrite, you can go for a change letter or expedited reevaluation for the cryptographic library between
product versions, if anything at all. The key is defining the bounds of the library clearly so that you have to change as little as possible within it. Mozilla does this by separately versioning the Network Security Services (NSS) that’s included in their
products so they don’t have to revalidate between Firefox versions. The OpenSSL Software Foundation is doing this for several vendors, see their pages at:
http://openssl.org/support/consulting.html and
http://openssl.org/support/funding/support-faq.html#Services2.
It’s even harder on the contractor side of government business than it is in actual federal agencies. Nobody wants to be the one to ask the DAA for an exception. Things are
absolutely excluded from consideration unless they’re certified.
From: fed-talk-bounces+aprout=email@hidden [mailto:fed-talk-bounces+aprout=email@hidden]
On Behalf Of Shawn Geddis
Sent: Tuesday, October 11, 2011 11:24 AM
To: Miller, Timothy J.
Cc: Fed Talk
Subject: [Fed-Talk] Re: CMV/CAVP Process Clarification
On Oct 11, 2011, at 8:05 AM, Miller, Timothy J. wrote:
On 10/9/11 10:32 PM, "Shawn Geddis" <email@hidden> wrote:
The addition of "Apple FIPS Cryptographic Module" to the Modules in Process list [3] is a reflection of the "re-validation" of the CDSA/CSP module shipped in Mac OS X 10.6 and validated on March 9, 2011. OS X Lion (v10.7) does not use
the CDSA/CSP module, but Apple is performing this re-validation to provide continued validation for all third-party applications using this module.
Ok, great, but when will Lion's new architecture enter CMVP? You know how this works, Shawn--we can get exceptions in C&A only as long as we can file POA&Ms, emphasis on 'M' (milestones).
-- T
OS X Lion (v10.7) does not use the CDSA/CSP module, but Apple is performing this re-validation to provide continued validation for all third-party applications using this module.
Sorry, I guess my statements have not been clear enough. The
ONLY module used in OS X Lion that is undergoing FIPS 140-2 Conformance Validation is the CDSA/CSP module that was validated for Mac OS X 10.6 -- this is solely being re-validated for third-party applications that still use it.
Cryptography on OS X and iOS are undergoing convergence, but they are in no way the same module(s) today. This convergence takes Engineering time and careful transitioning.
The FIPS 140 Conformance Validation Process needs a major overhaul if the US Federal Government is to maintain any chance of staying current with innovation. I believe FIPS 140-3 was initially targeted for 2007, but is still in DRAFT --
I believe that tells us all something very valuable. When a module submission sits in the queue for ~6 months and the products are changing ~12/15 months, it makes it impossible for any vendor to realistically achieve validation for each release. Significant
Resources for NIST/CMVP and changes in the process are going to have to be realized before this can ever be truly effective for the US Federal Government.
Please also keep in mind that FIPS 140 Validation in no way ensures a product is secure in any manner. It simply ensures that the cryptographic algorithms are properly implemented and the product does what the vendor claims it does according
to guidelines set forth by NIST. Any Application/Service could inappropriately handle cryptographic data supplied by a FIPS 140-2 Validated module and in turn fail to protect the sensitive data as expected. FIPS 140-2 has become a box checking exercise by
agencies with seemingly little thought to the actual implementations and protection of data.
/* Personal Comment */
- Shawn
________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Enterprise Division
|
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden