Quantcast

Are NSS bug fix releases still FIPS 140-2 certified?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Are NSS bug fix releases still FIPS 140-2 certified?

Ernie Kovak
Sorry, I'm not familiar with the rules governing FIPS 140-2 certification and I'd appreciate some help with the following question:

I find NIST certification #1837 for version 3.12.9.1 from back in 2012.(http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1837)

Have the changes made between then and the current v3.28.2 been such that that certification still applies?

Or do I have to use 3.12 to be really, no kidding FIPS 140 compliant?

Thanks!
Ernie
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are NSS bug fix releases still FIPS 140-2 certified?

Kyle Hamilton-2
You must use the specific binaries of version 3.12.9.1 from back in 2012 to
be really, honestly, truly FIPS 140 compliant.

Further, you must use a FIPS-certified implementation to verify the
integrity of that version in order to be really, no kidding FIPS 140
compliant, or get it on a disk directly from Mozilla (and the cryptographic
integrity option is only available if the Security Policy explained how to
cryptographically validate the binaries that you received).

FIPS compliance is all about documenting the chain of custody.  Once you
have that, make absolutely certain that you keep that chain of custody in a
safe along with the original disk that you received the binaries on.

(There might be a process for Mozilla to push a new version with a "vendor
change letter" or something, but that depends on their CMVP validation
provider and various strange and arcane NIST rules.  I've been following
the OpenSSL FIPS validation saga and let me tell you, it's *awful*.)

-Kyle H

On Mon, Feb 13, 2017 at 11:11 AM, Ernie Kovak <[hidden email]> wrote:

> Sorry, I'm not familiar with the rules governing FIPS 140-2 certification
> and I'd appreciate some help with the following question:
>
> I find NIST certification #1837 for version 3.12.9.1 from back in 2012.(
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1837)
>
> Have the changes made between then and the current v3.28.2 been such that
> that certification still applies?
>
> Or do I have to use 3.12 to be really, no kidding FIPS 140 compliant?
>
> Thanks!
> Ernie
> --
> dev-tech-crypto mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are NSS bug fix releases still FIPS 140-2 certified?

Ernie Kovak
In reply to this post by Ernie Kovak
Red Hat validated their NSS cryptographic module again at the end of 2016, using NSS v3.16.2.3-13.el7_1. See cert# 2711 in the NIST validated modules list:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2016.htm
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Loading...