FIPS compliance

Marcus Watts mdw at umich.edu
Wed Dec 3 14:37:17 EST 2008


You wrote:
> Date:    Wed, 03 Dec 2008 12:32:16 CST
> To:      "kerberos at mit.edu" <kerberos at mit.edu>
> From:    Tim Jandt <Tim.Jandt at dedicatedcomputing.com>
> Subject: FIPS compliance 
> 
> Hello,
> 
> I found a post in which you mentioned:
> 
> 
> "FIPS compliance is something you get by going through a very particular govern
> mental certification process, which normally does not deal with generic standar
> ds, but instead deals with specific and particular implementations.  Standards 
> are described, but the compliance aspect is to show that a particular implement
> ation meets that standard."
> 
> Would you by chance have links to any government agencies or test labs web site
> s that describe the FIPS certification process in more detail?
> 
> Thanks,
> Tim

"You" here is a very vague word.  There are about 4 messages in
the thread you appear to reference, from different folks.

Just on the off-chance you mean me, here are some links:

http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
http://en.wikipedia.org/wiki/FIPS_140-2
https://wiki.mozilla.org/FIPS_Validation

The 1st is the standard proper.  At 69 pages, it's not exactly light
reading, but it could be a *lot* worse.  Beware, this may not describe
actual practice, particularly for software.  The 3rd describes the actual
experience of one open source project.  The 2nd & 3rd have pointers to
additional resources.  You can find lots more with google.

				-Marcus Watts



More information about the Kerberos mailing list