From owner-freebsd-questions@freebsd.org Tue Apr 9 13:19:42 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5A7001580E65 for ; Tue, 9 Apr 2019 13:19:42 +0000 (UTC) (envelope-from carmel_ny@outlook.com) Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-oln040092007023.outbound.protection.outlook.com [40.92.7.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5860F8D059 for ; Tue, 9 Apr 2019 13:19:40 +0000 (UTC) (envelope-from carmel_ny@outlook.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fRhiqJZwwPljh+SK9Kdbra58wXGtFi4wJEBDZ/RS8NE=; b=ffd8FtbJbA0HDu5ytX7VwfmPIemK3qojGK/Z1wcS5ulCKKI7Fgcuu22JZLICPhyVv2mk1TTC4zs3RyV7qak+IW0sCZV0QTpWnUrUCovY2kaoZT+5ttDIS0NNXHuzRv7tfQh3+kyNpsFybme6iwHVFQRKekErERfDapl7LF/Q1QuICBQkWwtlOiipR88izxDSOSl1ZnhXaDH8erLX/bsKIQTaV1yO+S+ApcPKRP8T0dz5s2dI1Gt7hsBItvJSOJjVmkuvJNxblN0W2lnFVGHs0+2fUlk4s/72swrzgn4Rur0Lu7o+yYypH3eBBOwb2ci4zhL27IQYHh3TDc0TzREiHw== Received: from CO1NAM03FT035.eop-NAM03.prod.protection.outlook.com (10.152.80.54) by CO1NAM03HT238.eop-NAM03.prod.protection.outlook.com (10.152.80.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1771.16; Tue, 9 Apr 2019 13:19:38 +0000 Received: from MWHPR04MB0495.namprd04.prod.outlook.com (10.152.80.51) by CO1NAM03FT035.mail.protection.outlook.com (10.152.80.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1771.16 via Frontend Transport; Tue, 9 Apr 2019 13:19:38 +0000 Received: from MWHPR04MB0495.namprd04.prod.outlook.com ([fe80::7176:ea53:f443:76b6]) by MWHPR04MB0495.namprd04.prod.outlook.com ([fe80::7176:ea53:f443:76b6%11]) with mapi id 15.20.1771.016; Tue, 9 Apr 2019 13:19:38 +0000 From: Carmel NY To: FreeBSD Subject: Re: NIST and FIPS compliance Thread-Topic: NIST and FIPS compliance Thread-Index: AQHU7tbhjGZQVsgs10+w5vnmoxI5qw== Date: Tue, 9 Apr 2019 13:19:38 +0000 Message-ID: References: <1435534691.18734564.1554746797370.ref@mail.yahoo.com> <1435534691.18734564.1554746797370@mail.yahoo.com> <8cf79597-7acf-6b87-c49f-2583d0d13de3@FreeBSD.org> In-Reply-To: <8cf79597-7acf-6b87-c49f-2583d0d13de3@FreeBSD.org> Reply-To: FreeBSD Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BN6PR03CA0052.namprd03.prod.outlook.com (2603:10b6:404:4c::14) To MWHPR04MB0495.namprd04.prod.outlook.com (2603:10b6:300:72::8) x-mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; i686-w64-mingw32) x-incomingtopheadermarker: OriginalChecksum:538C3C54A794E7D1F481B81814B0235EFAD1DFD84E4D7ECD1374DE07398A182C; UpperCasedChecksum:906950A90A7386B433BC39F103950D9D9130FC4257391C8D7D86BDAF632D6DAD; SizeAsReceived:7615; Count:52 x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [fc8wAMQYFRNWpYwshzSwrN3pCd04RvUu] x-microsoft-original-message-id: <20190409091933.00005b5a@outlook.com> x-ms-publictraffictype: Email x-incomingheadercount: 52 x-eopattributedmessage: 0 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(20181119110)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031323274)(2017031324274)(2017031322404)(1601125500)(1603101475)(1701031045); SRVR:CO1NAM03HT238; x-ms-traffictypediagnostic: CO1NAM03HT238: x-microsoft-antispam-message-info: cu6NhRH/XgA3sSuNQAIwAHFWTn/BJdA7A1PTPveydFHyqkC69WaXxBcwPlVSgidR Content-Type: text/plain; charset="us-ascii" Content-ID: <37A20963FB428F48BEE02906DCCF5FBA@namprd04.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: c6f7c1fd-4a3a-41ec-cf33-08d6bcee03ed X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2019 13:19:38.3076 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1NAM03HT238 X-Rspamd-Queue-Id: 5860F8D059 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=outlook.com header.s=selector1 header.b=ffd8FtbJ; dmarc=pass (policy=none) header.from=outlook.com; spf=pass (mx1.freebsd.org: domain of carmel_ny@outlook.com designates 40.92.7.23 as permitted sender) smtp.mailfrom=carmel_ny@outlook.com X-Spamd-Result: default: False [0.11 / 15.00]; HAS_REPLYTO(0.00)[freebsd-questions@freebsd.org]; R_SPF_ALLOW(-0.20)[+ip4:40.92.0.0/15]; FREEMAIL_FROM(0.00)[outlook.com]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.01)[cached: outlook-com.olc.protection.outlook.com]; DKIM_TRACE(0.00)[outlook.com:+]; DMARC_POLICY_ALLOW(-0.50)[outlook.com,none]; NEURAL_HAM_SHORT(-0.90)[-0.904,0]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; REPLYTO_EQ_TO_ADDR(5.00)[]; ASN(0.00)[asn:8075, ipnet:40.64.0.0/10, country:US]; FREEMAIL_ENVFROM(0.00)[outlook.com]; DWL_DNSWL_NONE(0.00)[outlook.com.dwl.dnswl.org : 127.0.3.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; R_DKIM_ALLOW(-0.20)[outlook.com:s=selector1]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; IP_SCORE(-0.98)[ipnet: 40.64.0.0/10(-2.61), asn: 8075(-2.23), country: US(-0.06)]; RCPT_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[23.7.92.40.list.dnswl.org : 127.0.3.0] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Apr 2019 13:19:42 -0000 On Tue, 9 Apr 2019 10:04:23 +0100, Matthew Seaman stated: >On 08/04/2019 19:06, Paul Pathiakis via freebsd-questions wrote: >> I find the whole idea of NIST and FIPS to fly in the face of OSS >> sanity. However, should there not be a switch in all ports and the OS >> for things to be built with a FIPS compliant encryption module? >> Seriously, like the openssl-2.0-fips module? I know it's annoying but >> the US and Canadian Govts are demanding this of all vendors and >> contractors. RH/CentOS is already compliant with this stupidity and, >> sadly, I think it should be considered. >>=20 >> And, if this was done, it would allow all derivations of the FreeBSD >> to be able to access this. I'm trying for FreeNAS to be used in such >> an environment. =20 > >This is definitely an idea that should be considered further. You >might want to start a discussion on the freebsd-arch@ or >freebsd-ports@ mailing lists -- as those are the places you're likely >to reach the most relevant audience. > >I don't know off hand what is required for FIPS compliance -- >presumably this entails some sort of certification by a standardizing >body that (given certain conditions) a system is compliant -- and that >is almost certainly going to cost some amount of money. > >Whether it is possible to get certification for a generic system, or=20 >whether each different installation needs to be separately certified >has always been a key question. Also whether having some sort of=20 >'pre-certification' for the baseline system is a possibility in the=20 >latter case would be good to know. > >Ultimately this is going to come down to two things: > > * People with the technical skills required being prepared to=20 >volunteer their time. > > * Money to pay for whatever level of certification we could > feasibly=20 >achieve. > >There's a trade-off here between the cost and effort required and the=20 >resulting benefits. If this needs money, then the FreeBSD Foundation=20 >should be involved, and they are going to want to see a well-argued=20 >business case before signing any cheques. > > Cheers, > > Matthew I don't know if this will be of any use to you Matthew. https://en.wikipedia.org/wiki/FIPS_140-2 Interestingly enough, Win 10 Pro has an option to enable FIPS; however, even Microsoft says not to enable it unless you absolutely have to; i.e., government compliance. RH/CentOS are already compliant apparently. It would seem counterproductive for FreeBSD not to be also. In any case, its use should be made optional. --=20 Carmel