RE: [ DRAFT PATCH ] - FIPS 140-2 patch for OpenSSH 6.5p1

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



> Then there is the additional consideration that FIPS 140-2 is only desirable in a context (USG and DoD)
> where x.509 support is also mandatory. OpenSSH has adopted a different (and more robust) certificate 
> scheme. FIPS 140-2 has always been focused on compliance to a specific ritualized policy and process, 
> and thus is necessarily less secure in an absolute sense, while OpenSSH is focused on real-world security. 
> IMHO that discrepancy will probably continue to grow.

> So while it remains technically possible to jam the round OpenSSH peg into the square FIPS 140-2 hole, 
> I'm no longer sure it makes sense to attempt it in the baseline OpenSSH.

What the government asks for in any given situation can be highly variable, and in many cases what they explicitly ask for is a round peg squashed into the square hole.  I for one am very interested in seeing patches of this nature continue to be maintained. 
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux