Crypto overhaul
Chris H
bsd-lists at bsdforge.com
Fri Oct 27 17:11:59 UTC 2017
On Fri, 27 Oct 2017 12:38:47 +0000 "Wall, Stephen" <swall at redcom.com> wrote
[ re-wrapped for better readability ]
> Be aware that moving away from a crypto library that has a FIPS-approved
> crypto core will have a significant impact on commercial users of
> FreeBSD who do business with U.S. government (and likely some other
> governments and corporate sectors as well). BoringSSL is persuing/has
> persued FIPS validation, but they offer this warning on their web page:
>
> Although BoringSSL is an open source project, it is not intended for
> general use, as OpenSSL is. We don't recommend that third parties
> depend upon it. Doing so is likely to be frustrating because there
> are no guarantees of API or ABI stability.
>
> BearSSL, being a new, small project, is highly unlikely to pursue FIPS
> certification. LibreSSL has deliberately stripped anything FIPS related
> out of their fork, and the project has stated multiple times that it
> will not come back.
>
> I am not opposing a change (indeed, consolidating the various crypto
> sources in FreeBSD to single (FIPS-possible) library would be a good
> thing) , I just prefer (strongly) that FIPS not be pushed out of the
> picture.
>
FIPS, or not, Typhoid Mary needs to go, and the sooner the better!
Given a choice of using OpenSSl because it has FIPS certification;
Knowing that it will likely permit a [near] future system compromise.
Or using an alternative with a long history of reliability, safety,
and a great deal of scrutiny by seasoned developers, and security
engineers. Should be an easy question to answer.
FIPS or not. It should be an easy pitch to make -- even to those
on the FIPS bandwagon.
I don't think there's any reason to panic; OpenSSL will likely
still remain in the ports tree, no matter *what's* decided on for
$BASE, for those that *must* have it. :)
> -spw
--Chris
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
More information about the freebsd-hackers
mailing list