Fedora Crypto Consolidation Project

[Steve Grubb]

On Saturday 01 September 2007 01:14:10 Alexander Boström wrote:
> > If the crypto boundary was completely contained within the library and
> > the library has been FIPS 140-2 certified, many applications will gain
> > the cert just by linking to it. Its that simple.
>
> I assume that for an app to get the implicit certification, all the
> crypto libraries it links to needs to be certified.

The Fedora Project being a volunteer project has no money to pay for a 
certification of all these libraries. Its expensive. In addition, the 
certification process can last longer than any release's Fedora's support 
cycle. So, if Fedora is going to have certified crypto, we have to use what 
has already been certified and restructure things to use it. Another point 
I'd like to make is that simply linking against nss is not sufficient. The 
app also has to obey the system crypto policy.

The strategy wrt crypto libraries is to 1) update the app if possible to use 
nss directly and then the maintainer sets the --with-nss configure option, 2) 
create abstraction layer so that the API of the library being linked against 
calls nss eventually. This also requires changing the linking but is less 
invasive than option 1.

We probably won't be able to tackle all of Fedora. But the plan is to get the 
core set of apps that are used by most people.

-Steve