Re: Are NSS bug fix releases still FIPS 140-2 certified?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Are NSS bug fix releases still FIPS 140-2 certified?

Ernie Kovak
Kyle Hamilton is right. The authoritative document is the NSS module's security policy, which is linked from their validation certificate (see above). That policy specifies how the module can be used in order to be FIPS 140-2 compliant.

According to the NIST FIPS 140-2 Implementation Guide (http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf) there are only a couple things you can do to a module once it's been validated:

The vendor can fix non-security related bugs and update their validation (as opposed to a full re-validation of the module), and

Users can build the module from sources for the purpose of porting to new platforms IFF the security policy includes specific build procedures. But the NSS security policy contains no such build procedures. Look at the OpenSSL policy for an example of one that does.

That means NSS does not provide FIPS compliance on any platform other than the one they tested on. So, not on Windows. Not anywhere other than Red Hat Enterprise Linux on a few platforms.

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Are NSS bug fix releases still FIPS 140-2 certified?

Robert Relyea
On 04/10/2017 02:58 PM, Ernie Kovak wrote:
> Kyle Hamilton is right. The authoritative document is the NSS module's security policy, which is linked from their validation certificate (see above). That policy specifies how the module can be used in order to be FIPS 140-2 compliant.
>
> According to the NIST FIPS 140-2 Implementation Guide (http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf) there are only a couple things you can do to a module once it's been validated:
>
> The vendor can fix non-security related bugs and update their validation (as opposed to a full re-validation of the module), and
>
> Users can build the module from sources for the purpose of porting to new platforms IFF the security policy includes specific build procedures. But the NSS security policy contains no such build procedures. Look at the OpenSSL policy for an example of one that does.
So this is a little in accurate in that:
1) Only the validating vendor can do a 'vendor affirm' on a new plaform.
Each openSSL vendors that want FIPS validations do their own validation.
2) That vendor can do a 'vendor affirm' without any documented build
procedures.

So the conclusion below is correct with respect to the Red Hat
validation, but it's true because Red Hat has not vendor affirmed any
other platforms. It is not the case that openSSL is any more validated.
> That means NSS does not provide FIPS compliance on any platform other than the one they tested on. So, not on Windows. Not anywhere other than Red Hat Enterprise Linux on a few platforms.


>

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Are NSS bug fix releases still FIPS 140-2 certified?

Julien Pierre-3
In reply to this post by Ernie Kovak
Ernie,


On 4/10/2017 2:58 PM, Ernie Kovak wrote:
> That means NSS does not provide FIPS compliance on any platform other than the one they tested on. So, not on Windows. Not anywhere other than Red Hat Enterprise Linux on a few platforms.
>
Many other vendors have done NSS FIPS validation on tons of other
platforms in the past. This includes Windows. Sun did so in the past,
for example. You can browse the CMVP certificate list for yourself to
find that out. I don't know about the state of current validations on
Windows, though.

Julien
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Are NSS bug fix releases still FIPS 140-2 certified?

Ernie Kovak
In reply to this post by Ernie Kovak
Thanks, Julien. I went through the 'All' CMVP certificate list and, for every module tested on Windows, searched the security policy for "nss" and "softokn". Sadly, I didn't find any based on NSS.
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto