FIPS 140-2 certification
Nathan Bardsley
nathanb at clinicomp.com
Sat Sep 28 07:10:13 EST 2002
Hello everyone!
I work for a company that uses OpenSSH to remotely support systems we've
sold. Since some of our clients are US Dept. of Defense hospitals, our
access to these servers needs to comply with a whole range of
requirements and standards. At this point it's looking like the SSH
daemon needs to be FIPS 140-2 compliant, and the only package that is
certified is F-Secure.
The other option is for CliniComp to sponser getting OpenSSH through the
certification process, and that's what I'm exploring.
I'd really appreciate knowing what the core developers think about this,
and how willing they would be to assisting in the process. I know there
will need to be a fair amount of documentation, and there is no
subsitute for first-hand knowledge. Also, it seems pretty clear that at
least some code changes will be needed including self-tests, a new prng,
and work in the key generation & validation modules.
While we (CliniComp) do have some resources including technical writers
and programmers, we certainly do not have the expertise in cryptography
to just do it all ourselves. And if this does happen, part of the point
would be for the necessary changes to be rolled back into the standard
package.
Please understand that right now I'm just exploring possibilities, but
the other option for us is to spend a lot of money on F-Secure licenses.
I would very much appreciate hearing your thoughts and from anyone else
interested in making this happen.
Thanks,
--Nathan
More information about the openssh-unix-dev
mailing list