Date: Fri, 27 Oct 2017 10:13:15 -0700 From: "Chris H" <bsd-lists@bsdforge.com> To: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: Crypto overhaul Message-ID: <161ecc025cd82beeca46dc7f55599b45@ultimatedns.net> In-Reply-To: <51e5e3f85b6445ed85faf770773118bb@exch-02.redcom.com> References: <51e5e3f85b6445ed85faf770773118bb@exch-02.redcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 27 Oct 2017 12:38:47 +0000 "Wall, Stephen" <swall@redcom.com> wrote [ re-wrapped for better readability ] > Be aware that moving away from a crypto library that has a FIPS-approved > crypto core will have a significant impact on commercial users of > FreeBSD who do business with U.S. government (and likely some other > governments and corporate sectors as well). BoringSSL is persuing/has > persued FIPS validation, but they offer this warning on their web page: > > Although BoringSSL is an open source project, it is not intended for > general use, as OpenSSL is. We don't recommend that third parties > depend upon it. Doing so is likely to be frustrating because there > are no guarantees of API or ABI stability. > > BearSSL, being a new, small project, is highly unlikely to pursue FIPS > certification. LibreSSL has deliberately stripped anything FIPS related > out of their fork, and the project has stated multiple times that it > will not come back. > > I am not opposing a change (indeed, consolidating the various crypto > sources in FreeBSD to single (FIPS-possible) library would be a good > thing) , I just prefer (strongly) that FIPS not be pushed out of the > picture. > FIPS, or not, Typhoid Mary needs to go, and the sooner the better! Given a choice of using OpenSSl because it has FIPS certification; Knowing that it will likely permit a [near] future system compromise. Or using an alternative with a long history of reliability, safety, and a great deal of scrutiny by seasoned developers, and security engineers. Should be an easy question to answer. FIPS or not. It should be an easy pitch to make -- even to those on the FIPS bandwagon. I don't think there's any reason to panic; OpenSSL will likely still remain in the ports tree, no matter *what's* decided on for $BASE, for those that *must* have it. :) > -spw --Chris > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?161ecc025cd82beeca46dc7f55599b45>