Kerberos 5 certified under NIST 140-2.
Ken Hornstein
kenh at cmf.nrl.navy.mil
Mon Sep 3 22:52:53 EDT 2007
>As I read FIPS 140-2, it addresses hardware much more than software, and
>very much addresses "complete systems" or sometimes "components" and really
>does not address frameworks or pluggable environments much at all.
>
>OpenSource software loses here on several points:
>[...]
I don't want to get into the whole FIPS 140-2 mess ... but while it does
mostly deal with hardware products, there is a path for software-only
products to be certified. And it IS possible for open-source software
to be certified ... look at the certificate and security policy for
the FIPS-certified OpenSSL. Mind you, it's an uphill battle and I
think it is worthless from a _security_ perspective ... for software
I think the only value is so a government bureaucrat can check off a
box on a form.
> Appendix A describes the documentation that is necessary.
> There's a lot of it, and it is very specific to the testing
> required for FIPS 140-2. $25K to hire somebody to produce
> this would be a real bargain for something as complicated as
> kerberos 5.
When I said $25K (that was a number of years ago) that was the fee charged
by the testing labs that NIST uses. That's just for the FIPS 140-2
test ... generally you (the submitter) have to do all of the documentation
yourself, as well as meet all of the bizarre and seemingly arbitrary NIST
requirements.
> Appendix B describes the "recommended software development
> practice". These practices are probably a bit out of date, and
> certainly do not describe modern conventions for C. The testing &
> documentation is certainly considerably more rigorous than many
> open source projects. Note that the better organized projects
> at least approach the software methodology suggested here, with
> interesting differences: for instance the design stage may happen
> in part via online chat, unit testing may be on the honor system,
> functional specifications may be terse, & structure charts are
> nearly extinct except in the personnel department.
I was under the impression that those recommendations are not requirements.
>Rather than looking to the open source community to produce this, I
>think your best bet is to look at one of the vendors to do this.
>Say, Apple, Solaris, etc. They distribute the complete system,
>not just the software, so they have a better claim on "complete system",
>plus both the money stream, and the incentive, to pay for the
>certification. Apparently at least one of the Solaris people
>is already pursuing FIPS 140-2 for some of the lower-level crypto
>stuff (not kerberos yet).
Well, no one has even started the process yet AFAIK, so I think you'll
be waiting a long time. The "complete system" is not really a barrier
as I understand it.
--Ken
More information about the Kerberos
mailing list