MIT Kerberos - FIPS Validation

Paul Moore paul.moore at
Fri Nov 20 15:11:24 EST 2009

OK - thats a good plan then

so in fact MIT Kerberos would not be FIPS certified since it would
contain (or could) no crypto code

I had looked at making mit libcrypto compliant

-----Original Message-----
From: Tom Yu [mailto:tlyu at MIT.EDU] 
Sent: Friday, November 20, 2009 11:09 AM
To: Paul Moore
Cc: tsitkova at; Thomas Harning Jr.; krbdev at
Subject: Re: MIT Kerberos - FIPS Validation

Paul Moore <paul.moore at> writes:

> there are no details there regarding what plans you have for FIPS
> compliance.
> Can you please state
> - exactly what bits you will have certified (if any) (specific
> libraries, entire client side package, kdc, entire server side
> ...)
> - what changes will be made to those bits in order to be compliant

As far as we can tell, having the entire MIT Kerberos source tree
FIPS-validated would be prohibitively expensive, so we decided to
pursue FIPS compliance by enabling the use of non-builtin crypto
libraries, which might be FIPS-validated, and not seeking FIPS
validation for the builtin crypto.  If this is not sufficient for your
use cases, would you please explain why in detail?

Also, it would help to know what FIPS 140-2 security level is needed,
and what additional regulations or standards are governing your use

The crypto modularity project will enable the use of crypto libraries
different from the built-in MIT Kerberos crypto libraries.  One result
is that a user or vendor can build MIT Kerberos using a non-builtin
(possibly platform-native) FIPS-validated crypto library, such as a
validated version of OpenSSL.

> -----Original Message-----
> From: krbdev-bounces at [mailto:krbdev-bounces at] On Behalf
> Of Zhanna Tsitkova
> Sent: Wednesday, September 16, 2009 7:57 PM
> To: Thomas Harning Jr.; krbdev at
> Subject: RE: MIT Kerberos - FIPS Validation
> It is work in progress.  Please, see Crypto Modularity proj @
> Zhanna
> ________________________________________
> From: krbdev-bounces at MIT.EDU [krbdev-bounces at MIT.EDU] On Behalf Of
> Thomas Harning Jr. [thomas.harning at]
> Sent: Wednesday, September 16, 2009 2:47 PM
> To: krbdev at
> Subject: MIT Kerberos - FIPS Validation
> Just wondering, has there been any work to make a FIPS-validated MIT
> Kerberos client implementation?
> I'm guessing that there is some built-in crypto in MIT Kerberos, or do
> I have that wrong?  If the crypto is not built-into MIT Kerberos
> client, is it implemented by OpenSSL or some other cryptography
> library?
> --
> Thomas Harning Jr.
> _______________________________________________
> krbdev mailing list             krbdev at
> _______________________________________________
> krbdev mailing list             krbdev at
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list