Hi Simo,
Thanks for the clear response.
This is more in keeping with my understanding of the assurance
process.
In short
* FIPS evaluation only applies to the algorithms in scope. Generally
something like Suite B
* FIPS is only applicable to a particular instance ie binary or set of
binaries.
That being said, in some environments you only need to demonstrate the
use of specific cryptograhic operations which may be embodied by FIPS
evaluation in which case it's a reasonable shortcut.
So than than shooting yourself in the foot it can make you life
significantly simpler. Also most auditors don't really understand the
more esoteric aspects of these processes and concentrate in things that
the can understand.
However that lack of understanding is also a two edged sword. ;-)
-----Original Message-----
From: Simo Sorce via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org>
Reply-To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Steve Reed <scottmreed(a)hotmail.com>, Simo Sorce <simo(a)redhat.com>
Subject: [Freeipa-users] Re: FreeIPA and FIPS
Date: Mon, 19 Apr 2021 17:08:04 -0400
Hi Steve,
On Mon, 2021-04-19 at 19:08 +0000, Steve Reed via FreeIPA-users wrote:
Hi Stephen,
True. I understand that, but I think we are getting off track to
myoriginal question. Can you run a FIPS FreeIPA server and still
havethe clients work with it? It't not necessarily required to have
theclients FIPS compliant, but the server must since it has to do
theencryption for data that it stores.
Yes you can run a server in FIPS mode, and clients will generally
talkto it just fine. FIPS mode in RHEL simply reduces the set of
availablealgorithms,so clients have less to chose from but will work
just fine.
The caveat is if you have non-RHEL clients that are either very old,
orsomewhat "special", and support only a subset of
(old/different)algorithms that are not supported by the server in FIPs
mode.
So the answer is generally "yes with some caveats".
Note that this caveats are also valid in general for running on
RHELwhere we apply somewhat stringent crypto policies to avoid old and
weakprotocols by default.
And I appreciate that everyone is trying to save me some time, but
ithas been decided that we will use FIPS unless it proves
notbeneficial.
Just a note for everyone looking at this thread.FIPS mode can be used
at any time without restriction, so you arewelcome to use it. Many
chose to use FIPS mode to make sure only testedand approved algorithms
are used.
However, FIPS compliance is technically possible only with
certifiedmodules. And Red Hat certifies exclusively RHEL binary builds
(I knowbecause I do that). You can check the certificates on the CMVP
websiteand the related Security Policy documents for more details.
CentOS (or any other rebuild) builds are not covered by Red
HatCertificates and I am not aware of anyone else certifying
CentOSbinaries either.
Simo.
-- Simo SorceRHEL Crypto TeamRed Hat, Inc
_______________________________________________FreeIPA-users mailing
list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure