On Saturday 01 September 2007 01:14:10 Alexander Boström wrote: > > If the crypto boundary was completely contained within the library and > > the library has been FIPS 140-2 certified, many applications will gain > > the cert just by linking to it. Its that simple. > > I assume that for an app to get the implicit certification, all the > crypto libraries it links to needs to be certified. The Fedora Project being a volunteer project has no money to pay for a certification of all these libraries. Its expensive. In addition, the certification process can last longer than any release's Fedora's support cycle. So, if Fedora is going to have certified crypto, we have to use what has already been certified and restructure things to use it. Another point I'd like to make is that simply linking against nss is not sufficient. The app also has to obey the system crypto policy. The strategy wrt crypto libraries is to 1) update the app if possible to use nss directly and then the maintainer sets the --with-nss configure option, 2) create abstraction layer so that the API of the library being linked against calls nss eventually. This also requires changing the linking but is less invasive than option 1. We probably won't be able to tackle all of Fedora. But the plan is to get the core set of apps that are used by most people. -Steve -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
