On 02/25/2014 03:54 PM, Schaaf, Jonathan P (GE Healthcare) wrote: >> Then there is the additional consideration that FIPS 140-2 is only >> desirable in a context (USG and DoD) where x.509 support is also >> mandatory. OpenSSH has adopted a different (and more robust) >> certificate scheme. FIPS 140-2 has always been focused on >> compliance to a specific ritualized policy and process, and thus is >> necessarily less secure in an absolute sense, while OpenSSH is >> focused on real-world security. IMHO that discrepancy will probably >> continue to grow. > >> So while it remains technically possible to jam the round OpenSSH >> peg into the square FIPS 140-2 hole, I'm no longer sure it makes >> sense to attempt it in the baseline OpenSSH. > > What the government asks for in any given situation can be highly > variable, and in many cases what they explicitly ask for is a round > peg squashed into the square hole. How true, and the formal requirements are widely ignored or circumvented. For instance I've been told by many vendors that most of their customers never enable the FIPS mode of operation at runtime. > I for one am very interested in > seeing patches of this nature continue to be maintained. Good point; I should make it clear that I'm not opposed to the continued existence and maintenance of those patches per se. There are many OpenSSH users who have no choice about the constraints imposed by those USG/DoD policies. So the patches serve an important role. However, I'm no longer sure it makes sense to compromise and distort the baseline OpenSSH (or OpenSSL for that matter) to accommodate arbitrary policies that are indifferent or hostile to best security practices. In the case of OpenSSL I have to reluctantly admit that support of the FIPS 140-2 validated module has to some extent impacted the quality of the overall OpenSSL product. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess@xxxxxxxxxxxxxxxxxxxxx marquess@xxxxxxxxxxx gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
