From owner-freebsd-questions@freebsd.org Tue Apr 9 09:04:37 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0649F157ABF1 for ; Tue, 9 Apr 2019 09:04:37 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 91CD984076 for ; Tue, 9 Apr 2019 09:04:36 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: matthew/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4B93EB5E3 for ; Tue, 9 Apr 2019 09:04:36 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from leaf.local (unknown [88.212.184.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 65A712385 for ; Tue, 9 Apr 2019 09:04:33 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk/65A712385; dkim=none; dkim-atps=neutral Subject: Re: NIST and FIPS compliance To: freebsd-questions@freebsd.org References: <1435534691.18734564.1554746797370.ref@mail.yahoo.com> <1435534691.18734564.1554746797370@mail.yahoo.com> From: Matthew Seaman Message-ID: <8cf79597-7acf-6b87-c49f-2583d0d13de3@FreeBSD.org> Date: Tue, 9 Apr 2019 10:04:23 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <1435534691.18734564.1554746797370@mail.yahoo.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 91CD984076 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_SHORT(-0.97)[-0.972,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_MEDIUM(-1.00)[-0.997,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Apr 2019 09:04:37 -0000 On 08/04/2019 19:06, Paul Pathiakis via freebsd-questions wrote: > I find the whole idea of NIST and FIPS to fly in the face of OSS > sanity. However, should there not be a switch in all ports and the OS > for things to be built with a FIPS compliant encryption module? > Seriously, like the openssl-2.0-fips module? I know it's annoying but > the US and Canadian Govts are demanding this of all vendors and > contractors. RH/CentOS is already compliant with this stupidity and, > sadly, I think it should be considered. > > And, if this was done, it would allow all derivations of the FreeBSD > to be able to access this. I'm trying for FreeNAS to be used in such > an environment. This is definitely an idea that should be considered further. You might want to start a discussion on the freebsd-arch@ or freebsd-ports@ mailing lists -- as those are the places you're likely to reach the most relevant audience. I don't know off hand what is required for FIPS compliance -- presumably this entails some sort of certification by a standardizing body that (given certain conditions) a system is compliant -- and that is almost certainly going to cost some amount of money. Whether it is possible to get certification for a generic system, or whether each different installation needs to be separately certified has always been a key question. Also whether having some sort of 'pre-certification' for the baseline system is a possibility in the latter case would be good to know. Ultimately this is going to come down to two things: * People with the technical skills required being prepared to volunteer their time. * Money to pay for whatever level of certification we could feasibly achieve. There's a trade-off here between the cost and effort required and the resulting benefits. If this needs money, then the FreeBSD Foundation should be involved, and they are going to want to see a well-argued business case before signing any cheques. Cheers, Matthew