MIT Kerberos - FIPS Validation

Paul Moore paul.moore at centrify.com
Fri Nov 20 15:11:24 EST 2009 

OK - thats a good plan then

so in fact MIT Kerberos would not be FIPS certified since it would
contain (or could) no crypto code

I had looked at making mit libcrypto compliant

-----Original Message-----
From: Tom Yu [mailto:tlyu at MIT.EDU] 
Sent: Friday, November 20, 2009 11:09 AM
To: Paul Moore
Cc: tsitkova at mit.edu; Thomas Harning Jr.; krbdev at mit.edu
Subject: Re: MIT Kerberos - FIPS Validation

Paul Moore <paul.moore at centrify.com> writes:

> there are no details there regarding what plans you have for FIPS
> compliance.
>
> Can you please state
>
> - exactly what bits you will have certified (if any) (specific
> libraries, entire client side package, kdc, entire server side
package,
> ...)
> - what changes will be made to those bits in order to be compliant

As far as we can tell, having the entire MIT Kerberos source tree
FIPS-validated would be prohibitively expensive, so we decided to
pursue FIPS compliance by enabling the use of non-builtin crypto
libraries, which might be FIPS-validated, and not seeking FIPS
validation for the builtin crypto.  If this is not sufficient for your
use cases, would you please explain why in detail?

Also, it would help to know what FIPS 140-2 security level is needed,
and what additional regulations or standards are governing your use
cases.

The crypto modularity project will enable the use of crypto libraries
different from the built-in MIT Kerberos crypto libraries.  One result
is that a user or vendor can build MIT Kerberos using a non-builtin
(possibly platform-native) FIPS-validated crypto library, such as a
validated version of OpenSSL.

>
>
> -----Original Message-----
> From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf
> Of Zhanna Tsitkova
> Sent: Wednesday, September 16, 2009 7:57 PM
> To: Thomas Harning Jr.; krbdev at mit.edu
> Subject: RE: MIT Kerberos - FIPS Validation
>
> It is work in progress.  Please, see Crypto Modularity proj @
> http://k5wiki.kerberos.org/wiki/Projects/Crypto_modularity 
>
> Zhanna
> ________________________________________
> From: krbdev-bounces at MIT.EDU [krbdev-bounces at MIT.EDU] On Behalf Of
> Thomas Harning Jr. [thomas.harning at trustbearer.com]
> Sent: Wednesday, September 16, 2009 2:47 PM
> To: krbdev at mit.edu
> Subject: MIT Kerberos - FIPS Validation
>
> Just wondering, has there been any work to make a FIPS-validated MIT
> Kerberos client implementation?
>
> I'm guessing that there is some built-in crypto in MIT Kerberos, or do
> I have that wrong?  If the crypto is not built-into MIT Kerberos
> client, is it implemented by OpenSSL or some other cryptography
> library?
>
> --
> Thomas Harning Jr.
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev

More information about the krbdev mailing list