FIPS 140-2 certification
Ben Lindstrom
mouring at etoh.eviladmin.org
Sat Sep 28 07:34:44 EST 2002
On Fri, 27 Sep 2002, Nathan Bardsley wrote:
> Hello everyone!
>
> I work for a company that uses OpenSSH to remotely support systems we've
> sold. Since some of our clients are US Dept. of Defense hospitals, our
> access to these servers needs to comply with a whole range of
> requirements and standards. At this point it's looking like the SSH
> daemon needs to be FIPS 140-2 compliant, and the only package that is
> certified is F-Secure.
>
Where are theses 'DIPS 140-2' requirements? If they are anything like the
other military requirements they are impratical and insane (yes I've had
some time in the area. Not my idea of fun =).
> The other option is for CliniComp to sponser getting OpenSSH through the
> certification process, and that's what I'm exploring.
>
> I'd really appreciate knowing what the core developers think about this,
> and how willing they would be to assisting in the process. I know there
> will need to be a fair amount of documentation, and there is no
> subsitute for first-hand knowledge. Also, it seems pretty clear that at
> least some code changes will be needed including self-tests, a new prng,
> and work in the key generation & validation modules.
>
We have a regess/ section in the current tree.
What is the issue with prng? You really should be using kernel level
devices. prngd and built-in prng should be a last resort. Besides, I
bet our prng could easily get certified by NIST. It is a more sane
implementation than some of the NIST certified stuff at my work.=)
- Ben
More information about the openssh-unix-dev
mailing list