From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:48749)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1SPrqm-0003Qc-41
	for qemu-devel@nongnu.org; Thu, 03 May 2012 04:57:30 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1SPrqh-0006g4-62
	for qemu-devel@nongnu.org; Thu, 03 May 2012 04:57:23 -0400
Received: from mx1.redhat.com ([209.132.183.28]:1142)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1SPrqg-0006fy-U9
	for qemu-devel@nongnu.org; Thu, 03 May 2012 04:57:19 -0400
Date: Thu, 3 May 2012 09:57:12 +0100
From: "Daniel P. Berrange" <berrange@redhat.com>
Message-ID: <20120503085712.GG24747@redhat.com>
References: <20120502193256.6508.86360.stgit@sifl>
	<20120503082915.GF24747@redhat.com>
	<BAE89615-3617-4F2E-BB46-54901E26A761@suse.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <BAE89615-3617-4F2E-BB46-54901E26A761@suse.de>
Subject: Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password
 authentication (security type 2) when in FIPS mode
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Alexander Graf <agraf@suse.de>
Cc: Paul Moore <pmoore@redhat.com>, qemu-devel@nongnu.org

On Thu, May 03, 2012 at 10:51:15AM +0200, Alexander Graf wrote:
> 
> On 03.05.2012, at 10:29, Daniel P. Berrange wrote:
> 
> > On Wed, May 02, 2012 at 03:32:56PM -0400, Paul Moore wrote:
> >> FIPS 140-2 requires disabling certain ciphers, including DES, which is used
> >> by VNC to obscure passwords when they are sent over the network.  The
> >> solution for FIPS users is to disable the use of VNC password auth when the
> >> host system is operating in FIPS mode.
> 
> So that means "no password" is more secure according to FIPS than
> "DES encrypted password"?

No, FIPS is not making statements about the choice of auth methods.
FIPS is concerned with what encryption algorithms an application uses.
The requirements about whether authentication is required & what sort,
is upto other specifications (eg Common Criteria) to decide.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|