Fedora Crypto Consolidation Project
Steve Grubb
sgrubb at redhat.com
Sat Sep 1 12:19:45 UTC 2007
On Saturday 01 September 2007 01:14:10 Alexander Boström wrote:
> > If the crypto boundary was completely contained within the library and
> > the library has been FIPS 140-2 certified, many applications will gain
> > the cert just by linking to it. Its that simple.
>
> I assume that for an app to get the implicit certification, all the
> crypto libraries it links to needs to be certified.
The Fedora Project being a volunteer project has no money to pay for a
certification of all these libraries. Its expensive. In addition, the
certification process can last longer than any release's Fedora's support
cycle. So, if Fedora is going to have certified crypto, we have to use what
has already been certified and restructure things to use it. Another point
I'd like to make is that simply linking against nss is not sufficient. The
app also has to obey the system crypto policy.
The strategy wrt crypto libraries is to 1) update the app if possible to use
nss directly and then the maintainer sets the --with-nss configure option, 2)
create abstraction layer so that the API of the library being linked against
calls nss eventually. This also requires changing the linking but is less
invasive than option 1.
We probably won't be able to tackle all of Fedora. But the plan is to get the
core set of apps that are used by most people.
-Steve
More information about the fedora-devel-list
mailing list