From: Michael S. Zick <minimod@morethan.org>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] libnss: Add new package.
Date: Mon, 14 Mar 2011 14:04:03 -0500 [thread overview]
Message-ID: <201103141404.13865.minimod@morethan.org> (raw)
In-Reply-To: <AANLkTikuS1doYx310yhGbu6esBQAqksL_VzgKZRWfBH+@mail.gmail.com>
On Mon March 14 2011, you wrote:
> On Mon, Mar 14, 2011 at 4:54 PM, Michael S. Zick <minimod@morethan.org> wrote:
> > On Mon March 14 2011, Will Newton wrote:
> >> NSS is the Network Security Services library developed as part of
> >> the Mozilla project. It provides similar functions to OpenSSL but
> >> allows MPL, GPL and LGPL licensing and has been FIPS certified.
> >>
> >
> > Note:
> > The version mentioned in this patch __is not__ one of the certified
> > versions.
> > Ref:
> > http://www.mozilla.org/projects/security/pki/nss/fips/
> >
> > Nor does the validated version build for all of the Buildroot targets.
> > Ref:
> > http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#815
> > http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp815.pdf
> >
> > So I think it is unwise to include that "and has been FIPS certified"
> > in the new package description.
>
> I'm aware that it is not a FIPS certified version, I only that line in
> there to help answer the inevitable "why another crypto library?"
> question.
>
> I'll remove the mention of FIPS certification.
>
>
Good idea, will not mis-lead someone in the future.
But it does raise an interesting guestion -
OpenSSL will build the FIPS validated module which can be
used with the rest of the library when the security policy
is followed (which I think would be easy for BR to do).
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1051.pdf
Installation instructions start on page 15.
Which might be of interest because the validated module will
build for ARM-uClibc. (Page 6) Also, version 1.2.2 should have
the cross-compile problem fixed. (Page 4).
Having that would also allow other users of the library to build
"FIPS mode" applications, such as OpenSSH. (In case anyone needs
a "FIPS mode ssh" ;-) )
One down-side I can see to suggesting that FIPS mode be included in BR:
The configuration and make files are easy for someone to change without
reference to the security policy -
If someone updated the package site, version or allowed commands,
they would be generating a non-validated module when they thought otherwise.
So maybe "FIPS mode" of everything should remain the providence of the
local security officer, outside of Buildroot.
Mike
next prev parent reply other threads:[~2011-03-14 19:04 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-14 16:25 [Buildroot] [PATCH] libnss: Add new package Will Newton
2011-03-14 16:54 ` Michael S. Zick
2011-03-14 17:22 ` Will Newton
2011-03-14 19:04 ` Michael S. Zick [this message]
-- strict thread matches above, loose matches on Subject: below --
2011-03-14 17:24 Will Newton
2011-03-15 22:57 ` Thomas Petazzoni
2011-03-17 12:20 ` Will Newton
2011-03-25 12:07 Will Newton
2011-04-01 10:00 ` Will Newton
2011-07-07 12:08 Will Newton
2011-07-07 20:32 ` Peter Korsgaard
2011-07-08 13:25 ` Will Newton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201103141404.13865.minimod@morethan.org \
--to=minimod@morethan.org \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox