[ DRAFT PATCH ] - FIPS 140-2 patch for OpenSSH 6.5p1
Schaaf, Jonathan P (GE Healthcare)
jonathan.P.schaaf at ge.com
Wed Feb 26 07:54:58 EST 2014
> Then there is the additional consideration that FIPS 140-2 is only desirable in a context (USG and DoD)
> where x.509 support is also mandatory. OpenSSH has adopted a different (and more robust) certificate
> scheme. FIPS 140-2 has always been focused on compliance to a specific ritualized policy and process,
> and thus is necessarily less secure in an absolute sense, while OpenSSH is focused on real-world security.
> IMHO that discrepancy will probably continue to grow.
> So while it remains technically possible to jam the round OpenSSH peg into the square FIPS 140-2 hole,
> I'm no longer sure it makes sense to attempt it in the baseline OpenSSH.
What the government asks for in any given situation can be highly variable, and in many cases what they explicitly ask for is a round peg squashed into the square hole. I for one am very interested in seeing patches of this nature continue to be maintained.
More information about the openssh-unix-dev
mailing list