cryptoadm(1M) enhancement for FIPS-140 mode [PSARC/2009/347 FastTrack timeout 06/17/2009]

Garrett D'Amore gdamore at sun.com
Tue Jun 16 10:47:58 PDT 2009 

Huie-Ying Lee wrote:
> On 06/16/09 02:30, Darren J Moffat wrote:
>> Scott Rotondo wrote:
>>>>>
>>>>> 4.3  Interfaces:
>>>>>
>>>>>   The following new options are added to cryptoadm(1M) sub-commands
>>>>>       cryptoadm list fips-140
>>>>>       cryptoadm enable fips-140
>>>>>       cryptoadm disable fips-140
>>>
>>> Very minor issue: People often refer informally to "FIPS mode" 
>>> rather than the more cumbersome FIPS 140 or FIPS 140-2. Unless you 
>>> expect other FIPS standards to apply to the crypto framework, maybe 
>>> you could save users a little typing:
>>
>> There are other FIPS standards, in particular those that include the 
>> definitions of particular algorithms or PRNG systems.
>>
>>>     cryptoadm list fips
>>>     cryptoadm enable fips
>>>     cryptoadm disable fips
>>
>> That is what we had originally and I suggested to the team to change 
>> it to fips-140 because there are lots and lots of FIPS standards and 
>> this change to cryptoadm only deals with FIPS 140 not 186 or 86 ... 
>> So having just "fips" is wrong.
>>
> How about making it more flexible as following:
>
>   cryptoadm list fips[=fips_number_list]
>   cryptoadm enable fips[=fips_number_list]
>   cryptoadm disable fips[=fips_number_list]
>
> The "=fips_number_list" part is optional.
>  The current supported FIPS number is 140, which is the default for 
> now also.
>
> Therefore,  "cryptoadm enable  fips" and "cryptoadm enable fips=140" 
> refer to the same thing.
>
> Huie-Ying

If you look at how crypto is dealt with, all people care about is "is it 
FIPS certified".  All the time this means FIPS-140.  Nobody (that I've 
ever heard of) cares about enabling subsets of this.  (FIPS-86 mode 
might enable a FIPS-86 compliant RNG, but that should always be enabled 
anyway.  I'm not sure what FIPS-186 would mean in this context, since 
FIPS-186 is just the DSS signing method.)

While I understand that specifying "fips140" might be better (and avoid 
potential ambiguity later), I don't think "fips=<standard number>" is 
terribly useful.

What I *could* imagine is a way to imagine different levels of fips, 
e.g. "fips140=1" for just a level 1 compliance, etc.  Although even that 
seems a stretch since I can't imagine anyone recertifying the framework 
for more than a single level (which would normally be the highest level 
that it can reasonably achieve.)

My vote would just be "enable fips140", (which is shorter than 
"fips-140", and eliminates possible complexity that would never actually 
be used.)

In short, KISS.

    - Garrett
>
>
>
>

More information about the opensolaris-arc mailing list