cryptoadm(1M) enhancement for FIPS-140 mode [PSARC/2009/347 FastTrack timeout 06/17/2009]

Darren J Moffat Darren.Moffat at sun.com
Tue Jun 16 12:07:13 PDT 2009 

Garrett D'Amore wrote:
> Huie-Ying Lee wrote:
>> On 06/16/09 02:30, Darren J Moffat wrote:
>>> Scott Rotondo wrote:
>>>>>>
>>>>>> 4.3  Interfaces:
>>>>>>
>>>>>>   The following new options are added to cryptoadm(1M) sub-commands
>>>>>>       cryptoadm list fips-140
>>>>>>       cryptoadm enable fips-140
>>>>>>       cryptoadm disable fips-140
>>>>
>>>> Very minor issue: People often refer informally to "FIPS mode" 
>>>> rather than the more cumbersome FIPS 140 or FIPS 140-2. Unless you 
>>>> expect other FIPS standards to apply to the crypto framework, maybe 
>>>> you could save users a little typing:
>>>
>>> There are other FIPS standards, in particular those that include the 
>>> definitions of particular algorithms or PRNG systems.
>>>
>>>>     cryptoadm list fips
>>>>     cryptoadm enable fips
>>>>     cryptoadm disable fips
>>>
>>> That is what we had originally and I suggested to the team to change 
>>> it to fips-140 because there are lots and lots of FIPS standards and 
>>> this change to cryptoadm only deals with FIPS 140 not 186 or 86 ... 
>>> So having just "fips" is wrong.
>>>
>> How about making it more flexible as following:
>>
>>   cryptoadm list fips[=fips_number_list]
>>   cryptoadm enable fips[=fips_number_list]
>>   cryptoadm disable fips[=fips_number_list]
>>
>> The "=fips_number_list" part is optional.
>>  The current supported FIPS number is 140, which is the default for 
>> now also.
>>
>> Therefore,  "cryptoadm enable  fips" and "cryptoadm enable fips=140" 
>> refer to the same thing.
>>
>> Huie-Ying
> 
> If you look at how crypto is dealt with, all people care about is "is it 
> FIPS certified".  All the time this means FIPS-140.  Nobody (that I've 
> ever heard of) cares about enabling subsets of this.  (FIPS-86 mode 
> might enable a FIPS-86 compliant RNG, but that should always be enabled 
> anyway.  I'm not sure what FIPS-186 would mean in this context, since 
> FIPS-186 is just the DSS signing method.)
> 
> While I understand that specifying "fips140" might be better (and avoid 
> potential ambiguity later), I don't think "fips=<standard number>" is 
> terribly useful.
> 
> What I *could* imagine is a way to imagine different levels of fips, 
> e.g. "fips140=1" for just a level 1 compliance, etc.  Although even that 
> seems a stretch since I can't imagine anyone recertifying the framework 
> for more than a single level (which would normally be the highest level 
> that it can reasonably achieve.)


As you can see from my posts you and I agree on this.

> My vote would just be "enable fips140", (which is shorter than 
> "fips-140", and eliminates possible complexity that would never actually 
> be used.)

I don't care one way or the other other if the '-' is in there or not, 
in fact allowing both is probably a good idea.

-- 
Darren J Moffat

More information about the opensolaris-arc mailing list