Thanks for the help! I really have misconceptions about FIPS 140-2. I was instructed to compile and install this module: http://openssl.com/fips/. But I cannot understand how can I use it. Can you explain its functionalities? Sorry for the dummie questions. > To: openssl-users at openssl.org > From: marquess at openssl.com > Date: Sat, 19 Dec 2015 08:56:22 -0500 > Subject: Re: [openssl-users] FIPS 140-2 library > > On 12/19/2015 08:28 AM, Marcos Bontempo wrote: > > I want to exclude the private key if there is an attempt to violation. > > Has FIPS this functionality? > > I think you have some misconceptions about what FIPS 140-2 is and isn't. > It is "magical pixie dust", not a technique or some specific type of > functionality. > > FIPS 140-2 validation is a paper intensive formal process by which > specific implementations (software and/or devices) are given an official > government blessing (the "pixie dust"). > > FIPS 140-2 validated products are *not* more secure or better, by any > real-world metric, than equivalent non-validated products. In fact they > are rather manifestly *less* secure, in the sense of resistance to > malicious or accidental compromise. You can't do anything with FIPS > 140-2 validated products you can do without, except for the entirely > non-technical objective of satisfying formal policy requirements. > > So if you aren't forced to use validated products, just ask "how can I > do X securely" and leave FIPS 140-2 out of it. If you do need validated > products, then that requirement drives and constrains your choices and > real-world security is a secondary consideration, instead you must ask > "is there a validated product available that will allow X"? You can't > code your way to FIPS 140-2 validated status, you have to find and use > something that is already validated. > > -Steve M. > > -- > Steve Marquess > OpenSSL Software Foundation > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877 673 6775 s/b > +1 301 874 2571 direct > marquess at openssl.com > gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151219/5f3b562f/attachment.html>
