On 12/19/2015 08:28 AM, Marcos Bontempo wrote: > I want to exclude the private key if there is an attempt to violation. > Has FIPS this functionality? I think you have some misconceptions about what FIPS 140-2 is and isn't. It is "magical pixie dust", not a technique or some specific type of functionality. FIPS 140-2 validation is a paper intensive formal process by which specific implementations (software and/or devices) are given an official government blessing (the "pixie dust"). FIPS 140-2 validated products are *not* more secure or better, by any real-world metric, than equivalent non-validated products. In fact they are rather manifestly *less* secure, in the sense of resistance to malicious or accidental compromise. You can't do anything with FIPS 140-2 validated products you can do without, except for the entirely non-technical objective of satisfying formal policy requirements. So if you aren't forced to use validated products, just ask "how can I do X securely" and leave FIPS 140-2 out of it. If you do need validated products, then that requirement drives and constrains your choices and real-world security is a secondary consideration, instead you must ask "is there a validated product available that will allow X"? You can't code your way to FIPS 140-2 validated status, you have to find and use something that is already validated. -Steve M. -- Steve Marquess OpenSSL Software Foundation 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
