Date: Tue, 9 Apr 2019 13:19:38 +0000 From: Carmel NY <carmel_ny@outlook.com> To: FreeBSD <freebsd-questions@freebsd.org> Subject: Re: NIST and FIPS compliance Message-ID: <MWHPR04MB04955F5D0F7D6FE78FE07EB6802D0@MWHPR04MB0495.namprd04.prod.outlook.com> In-Reply-To: <8cf79597-7acf-6b87-c49f-2583d0d13de3@FreeBSD.org> References: <1435534691.18734564.1554746797370.ref@mail.yahoo.com> <1435534691.18734564.1554746797370@mail.yahoo.com> <8cf79597-7acf-6b87-c49f-2583d0d13de3@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 9 Apr 2019 10:04:23 +0100, Matthew Seaman stated: >On 08/04/2019 19:06, Paul Pathiakis via freebsd-questions wrote: >> I find the whole idea of NIST and FIPS to fly in the face of OSS >> sanity. However, should there not be a switch in all ports and the OS >> for things to be built with a FIPS compliant encryption module? >> Seriously, like the openssl-2.0-fips module? I know it's annoying but >> the US and Canadian Govts are demanding this of all vendors and >> contractors. RH/CentOS is already compliant with this stupidity and, >> sadly, I think it should be considered. >>=20 >> And, if this was done, it would allow all derivations of the FreeBSD >> to be able to access this. I'm trying for FreeNAS to be used in such >> an environment. =20 > >This is definitely an idea that should be considered further. You >might want to start a discussion on the freebsd-arch@ or >freebsd-ports@ mailing lists -- as those are the places you're likely >to reach the most relevant audience. > >I don't know off hand what is required for FIPS compliance -- >presumably this entails some sort of certification by a standardizing >body that (given certain conditions) a system is compliant -- and that >is almost certainly going to cost some amount of money. > >Whether it is possible to get certification for a generic system, or=20 >whether each different installation needs to be separately certified >has always been a key question. Also whether having some sort of=20 >'pre-certification' for the baseline system is a possibility in the=20 >latter case would be good to know. > >Ultimately this is going to come down to two things: > > * People with the technical skills required being prepared to=20 >volunteer their time. > > * Money to pay for whatever level of certification we could > feasibly=20 >achieve. > >There's a trade-off here between the cost and effort required and the=20 >resulting benefits. If this needs money, then the FreeBSD Foundation=20 >should be involved, and they are going to want to see a well-argued=20 >business case before signing any cheques. > > Cheers, > > Matthew I don't know if this will be of any use to you Matthew. https://en.wikipedia.org/wiki/FIPS_140-2 Interestingly enough, Win 10 Pro has an option to enable FIPS; however, even Microsoft says not to enable it unless you absolutely have to; i.e., government compliance. RH/CentOS are already compliant apparently. It would seem counterproductive for FreeBSD not to be also. In any case, its use should be made optional. --=20 Carmel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MWHPR04MB04955F5D0F7D6FE78FE07EB6802D0>