Date: Tue, 9 Apr 2019 10:04:23 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: NIST and FIPS compliance Message-ID: <8cf79597-7acf-6b87-c49f-2583d0d13de3@FreeBSD.org> In-Reply-To: <1435534691.18734564.1554746797370@mail.yahoo.com> References: <1435534691.18734564.1554746797370.ref@mail.yahoo.com> <1435534691.18734564.1554746797370@mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/04/2019 19:06, Paul Pathiakis via freebsd-questions wrote: > I find the whole idea of NIST and FIPS to fly in the face of OSS > sanity. However, should there not be a switch in all ports and the OS > for things to be built with a FIPS compliant encryption module? > Seriously, like the openssl-2.0-fips module? I know it's annoying but > the US and Canadian Govts are demanding this of all vendors and > contractors. RH/CentOS is already compliant with this stupidity and, > sadly, I think it should be considered. > > And, if this was done, it would allow all derivations of the FreeBSD > to be able to access this. I'm trying for FreeNAS to be used in such > an environment. This is definitely an idea that should be considered further. You might want to start a discussion on the freebsd-arch@ or freebsd-ports@ mailing lists -- as those are the places you're likely to reach the most relevant audience. I don't know off hand what is required for FIPS compliance -- presumably this entails some sort of certification by a standardizing body that (given certain conditions) a system is compliant -- and that is almost certainly going to cost some amount of money. Whether it is possible to get certification for a generic system, or whether each different installation needs to be separately certified has always been a key question. Also whether having some sort of 'pre-certification' for the baseline system is a possibility in the latter case would be good to know. Ultimately this is going to come down to two things: * People with the technical skills required being prepared to volunteer their time. * Money to pay for whatever level of certification we could feasibly achieve. There's a trade-off here between the cost and effort required and the resulting benefits. If this needs money, then the FreeBSD Foundation should be involved, and they are going to want to see a well-argued business case before signing any cheques. Cheers, Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8cf79597-7acf-6b87-c49f-2583d0d13de3>