Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

FIPS 140-2 certification

0 views
Skip to first unread message

greg...@yahoo.com

unread,
Feb 22, 2005, 4:44:34 PM2/22/05
to
About 6 months ago, someone asked in this group if anyone is
working on seeking FIPS 140-2 certification for the latest crypto
modules. Both the Mozilla and Sun POCs responded that there are
plans for getting NSS 3.9 certified (Mozilla), or that it is under
consideration (Sun response).

NSS 3.2.2 -- the version last certified -- is now 3.5 years old
and several security vulnerabilities and numerous bug fixes and
feature additions have occurred since then. I suspect that with
the Firefox and Thunderbird 1.0 releases, more agencies are starting
to run into this issue.

What is the current status? Thanks.

Greg Ubben

Savage Robert G Contr AFCA/EACR

unread,
Feb 22, 2005, 6:01:11 PM2/22/05
to
Greg,

I was the one who asked about FIPS 140-2 certification, and I'm still looking forward to seeing an announcement from MF on this subject.

Although it's true that NSS 3.2.2's FIPS 140-1 certification is 3.5 years old, would you believe Microsoft's Windows 2000 (for IE) cert is even older? That certificate (#106) goes back to 7/31/2000. Oddly enough, the FIPS.SYS file v5.0.2195.1569 referenced in the certificate is actually dated 5/04/2001. I've asked our corporate Microsoft rep to explain that, but all I've heard in reply is the sound of crickets.

If FIPS-140 certification rules were to be rigorously enforced for any reason, one of two things would happen:

(1) No contemporary browser would be allowed, since all their code modules have changed since they were certified and none is current. This would shut down all use of the web in the Federal government. (Not very likely.)

(2) The lawyers and auditors would re-read the statutes and policies, then declare that FIPS-140 certification is only a requirement for National Security Information (read: classified) processing.

I'm no lawyer, but I can read the applicable statutes as well as the next person, and I personally believe (2) is the right answer. However, I'm not the local sheriff here and don't speak for the AF. In reality there is a zeroeth choice:

(0) Do not, under any circumstances, ask the question in an official capacity the first place. ("Don't ask the question if you can't stand the answer.") This avoids having to decide between (1) and (2).

And that's the limbo we exist in today.

--Doc
Robert G. (Doc) Savage, CISSP, RHCE, GCIA
AFCA/EACR, ETAS Support Contractor
BAE Systems Information Technology
Voice: (618) 229-6381   DSN: 779-6381
Fax: (618) 229-5339
E-mail: robert...@scott.af.mil

0 new messages