cryptoadm(1M) enhancement for FIPS-140 mode [PSARC/2009/347 FastTrack timeout 06/17/2009]
Huie-Ying Lee
huie-ying.lee at sun.com
Tue Jun 16 10:36:34 PDT 2009
On 06/16/09 02:30, Darren J Moffat wrote:
> Scott Rotondo wrote:
>>>>
>>>> 4.3 Interfaces:
>>>>
>>>> The following new options are added to cryptoadm(1M) sub-commands
>>>> cryptoadm list fips-140
>>>> cryptoadm enable fips-140
>>>> cryptoadm disable fips-140
>>
>> Very minor issue: People often refer informally to "FIPS mode" rather
>> than the more cumbersome FIPS 140 or FIPS 140-2. Unless you expect
>> other FIPS standards to apply to the crypto framework, maybe you
>> could save users a little typing:
>
> There are other FIPS standards, in particular those that include the
> definitions of particular algorithms or PRNG systems.
>
>> cryptoadm list fips
>> cryptoadm enable fips
>> cryptoadm disable fips
>
> That is what we had originally and I suggested to the team to change
> it to fips-140 because there are lots and lots of FIPS standards and
> this change to cryptoadm only deals with FIPS 140 not 186 or 86 ... So
> having just "fips" is wrong.
>
How about making it more flexible as following:
cryptoadm list fips[=fips_number_list]
cryptoadm enable fips[=fips_number_list]
cryptoadm disable fips[=fips_number_list]
The "=fips_number_list" part is optional.
The current supported FIPS number is 140, which is the default for now
also.
Therefore, "cryptoadm enable fips" and "cryptoadm enable fips=140"
refer to the same thing.
Huie-Ying
More information about the opensolaris-arc
mailing list