[30500] in Kerberos
RE: FIPS compliance
daemon@ATHENA.MIT.EDU (Tim Jandt)
Wed Dec 3 15:01:59 2008
From: Tim Jandt <Tim.Jandt@dedicatedcomputing.com>
To: Marcus Watts <mdw@umich.edu>
Date: Wed, 3 Dec 2008 13:50:07 -0600
Message-ID: <578733DCD150CA49998643114458BACB1892F6645E@OPTIMUS.omnitechcorp.com>
In-Reply-To: <E1L7xXB-00042q-GA@spam.ifs.umich.edu>
Content-Language: en-US
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
The thread to which I'm referring can be found here:
http://mailman.mit.edu/pipermail/kerberos/2006-November/010870.html
Since your name and e-mail is at the top, and you signed the post, I felt the assumption that "You" posted this was most likely correct.
I appreciate your response, and in doing some further research did find a couple of independent labs that can verify compliance to the FIPS 140-2 standard, but have not found any that mention FIPS 197.
The two labs I found were:
http://www.corsec.com/index.php?option=com_frontpage&Itemid=1
and
http://www.rycombe.com/
Unfortunately, I feel no closer to determining how, exactly, I would prepare the product we are being asked to produce for compliance. Guess it's on with the reading glasses and a snifter of fine single malt scotch for a trip through http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf tonight...
Cheers,
Tim
-----Original Message-----
From: Marcus Watts [mailto:mdw@umich.edu]
Sent: Wednesday, December 03, 2008 1:37 PM
To: Tim Jandt
Cc: kerberos@mit.edu
Subject: Re: FIPS compliance
You wrote:
> Date: Wed, 03 Dec 2008 12:32:16 CST
> To: "kerberos@mit.edu" <kerberos@mit.edu>
> From: Tim Jandt <Tim.Jandt@dedicatedcomputing.com>
> Subject: FIPS compliance
>
> Hello,
>
> I found a post in which you mentioned:
>
>
> "FIPS compliance is something you get by going through a very particular govern
> mental certification process, which normally does not deal with generic standar
> ds, but instead deals with specific and particular implementations. Standards
> are described, but the compliance aspect is to show that a particular implement
> ation meets that standard."
>
> Would you by chance have links to any government agencies or test labs web site
> s that describe the FIPS certification process in more detail?
>
> Thanks,
> Tim
"You" here is a very vague word. There are about 4 messages in
the thread you appear to reference, from different folks.
Just on the off-chance you mean me, here are some links:
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
http://en.wikipedia.org/wiki/FIPS_140-2
https://wiki.mozilla.org/FIPS_Validation
The 1st is the standard proper. At 69 pages, it's not exactly light
reading, but it could be a *lot* worse. Beware, this may not describe
actual practice, particularly for software. The 3rd describes the actual
experience of one open source project. The 2nd & 3rd have pointers to
additional resources. You can find lots more with google.
-Marcus Watts
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
