• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] FIPS 140-2 re-Certification for CDSA in Lion Complete
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] FIPS 140-2 re-Certification for CDSA in Lion Complete

  • Subject: Re: [Fed-Talk] FIPS 140-2 re-Certification for CDSA in Lion Complete
  • From: Jeffrey Walton <email@hidden>
  • Date: Thu, 05 Apr 2012 14:03:39 -0400
On Wed, Apr 4, 2012 at 5:36 PM, Link, Peter R. <email@hidden> wrote:
> Now if the testing lab will only finish the work on the iPhone and iPad
> modules we can really be excited.
>
> Doug,
> Of course, I'm still trying to get a formal document that describes which
> Lion applications/services use the new, non-FIPS-compliant encryption module
> and which ones (if any) use the old CDSA module. I assume WinMagic uses CDSA
> (or nothing related to OSX) and Entrust simply stores certificates in the
> keychain (no client anymore, but does the keychain use the new crypto
> software?). Does Disk Utility use the new crypto software? I know FileVault
> 2 does. In order to make use of this certification we really need to know
> what is approved and what isn't so we can produce documentation to justify
> the use of Lion in certain circumstances to our approving agency.
They key chain should not be FIPS certified since it does not run
zeroizers. Zeroization is required even at Level 1.

Follow SecKeychainItemFreeContent() through contentFree() and into
DefaultAllocator(). It should be using SensitiveAllocator() to free
the item's data (ie, the secret). Also, SensitiveAllocator's memset()
is subject to dead code removal, so it might not even be present in
optimized code.

Jeff

> On Apr 4, 2012, at 2:24 PM, Doug Kruth wrote:
>
> I'm sort of surprised that this went unnoticed but we are officially
> finished with our effort to re-certify the CDSA crypto boundary in OS X
> Lion.  The testing lab successfully completed the process this past Monday
> and we now have an official  certificate from NIST.  You can view the
> certificate here:
>
> Certificate 1701:
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1701
>
> Doug Kruth
> Systems Engineering Manager
>  Apple Enterprise Sales
> m: 571.218.0805
> o: 703.264.3236

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >[Fed-Talk] FIPS 140-2 re-Certification for CDSA in Lion Complete (From: Doug Kruth <email@hidden>)
 >Re: [Fed-Talk] FIPS 140-2 re-Certification for CDSA in Lion Complete (From: "Link, Peter R." <email@hidden>)

  • Prev by Date: Re: [Fed-Talk] FIPS 140-2 re-Certification for CDSA in Lion Complete
  • Next by Date: [Fed-Talk] Using outlook 2011 with CAC email
  • Previous by thread: Re: [Fed-Talk] FIPS 140-2 re-Certification for CDSA in Lion Complete
  • Next by thread: Re: [Fed-Talk] FIPS 140-2 re-Certification for CDSA in Lion Complete
  • Index(es):
    • Date
    • Thread