[Fed-Talk] Re: CMV/CAVP Process Clarification
[Fed-Talk] Re: CMV/CAVP Process Clarification
- Subject: [Fed-Talk] Re: CMV/CAVP Process Clarification
- From: "Miller, Timothy J." <email@hidden>
- Date: Tue, 11 Oct 2011 18:19:46 +0000
- Thread-topic: CMV/CAVP Process Clarification
That¹s as may be, and in many ways you're preaching to the choir, but the
fact remains that FIPS 140 certification is required by Federal law in any
acquisition that uses cryptography outside of designated National Security
Systems.
Re-certifying the 10.6 module if fine as far as it goes, but this is only
a stopgap measure. When 10.8 ships and that module will no longer even
install, where will we be?
-- T
On 10/11/11 10:24 AM, "Shawn Geddis" <email@hidden> wrote:
>On Oct 11, 2011, at 8:05 AM, Miller, Timothy J. wrote:
>
>On 10/9/11 10:32 PM, "Shawn Geddis" <email@hidden> wrote:
>
>
>The addition of "Apple FIPS Cryptographic Module" to the Modules in
>Process list [3] is a reflection of the "re-validation" of the CDSA/CSP
>module shipped in Mac OS X 10.6 and validated on March 9, 2011. OS X
>Lion (v10.7) does not use the CDSA/CSP module, but Apple is performing
>this re-validation to provide continued validation for all third-party
>applications using this module.
>
>
>Ok, great, but when will Lion's new architecture enter CMVP? You know
>how this works, Shawn--we can get exceptions in C&A only as long as we
>can file POA&Ms, emphasis on 'M' (milestones).
>
>-- T
>
>
>
>
>
>Tim,
>
>
>OS X Lion (v10.7) does not use the CDSA/CSP module, but Apple is
>performing this re-validation to provide continued validation for all
>third-party applications using this module.
>
>
>
>Sorry, I guess my statements have not been clear enough. The ONLY module
>used in OS X Lion that is undergoing FIPS 140-2 Conformance Validation is
>the CDSA/CSP module that was validated for Mac OS X 10.6 -- this is
>solely being re-validated for third-party applications that still use it.
>
>Cryptography on OS X and iOS are undergoing convergence, but they are in
>no way the same module(s) today. This convergence takes Engineering time
>and careful transitioning.
>
>
>/* Personal Comment */
>The FIPS 140 Conformance Validation Process needs a major overhaul if the
>US Federal Government is to maintain any chance of staying current with
>innovation. I believe FIPS 140-3 was initially targeted for 2007, but is
>still in DRAFT -- I believe that tells us all something very valuable.
>When a module submission sits in the queue for ~6 months and the products
>are changing ~12/15 months, it makes it impossible for any vendor to
>realistically achieve validation for each release. Significant Resources
>for NIST/CMVP and changes in the process are going to have to be realized
>before this can ever be truly effective for the US Federal Government.
>
>Please also keep in mind that FIPS 140 Validation in no way ensures a
>product is secure in any manner. It simply ensures that the
>cryptographic algorithms are properly implemented and the product does
>what the vendor claims it does according to guidelines set forth by NIST.
> Any Application/Service could inappropriately handle cryptographic data
>supplied by a FIPS 140-2 Validated module and in turn fail to protect the
>sensitive data as expected. FIPS 140-2 has become a box checking
>exercise by agencies with seemingly little thought to the actual
>implementations and protection of data.
>/* Personal Comment */
>
>
>- Shawn
>________________________________________
>Shawn Geddis
>Security Consulting Engineer
>Apple Enterprise Division
>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden