[IDS] 6/18 teleconference call minutes

[IDS] 6/18 teleconference call minutes

[IDS] 6/18 teleconference call minutes

Randy Turner rturner at amalfisystems.com
Fri Jun 19 00:14:06 UTC 2009

Hi All,

I noticed in the meeting minutes from the 6/18 teleconference that  
there was a discussion on vendor-specific attributes - these are  
definitely handled by a vendor-specific plug-in, however, in the case  
of the attribute HCD_Certification_State, we may can draw on how the  
OpenSSL project handles a similar value.

For FIPS 140-2 certification, a specific version of source code was  
submitted, including instructions for how to build a "FIPS" version of  
the codebase.

In addition, a SHA-1 fingerprint for this specific set of source code  
is generated - source code fingerprints are fairly common for security- 
related open source projects.

In addition, during the build process, the individual object files are  
fingerprinted as well.

There is an additional integrity check performed at runtime.

So there is a source-level, link-time, and runtime verification  
performed to make sure that the code that is compiled, built, and run,  
is the exact same code that was certified by the FIPS laboratory.

The runtime check is made by the code calling fips_mode_set(), and the  
compiler/build-system must be able to order the OpenSSL FIPS code  
always in the same order (with respect to relocatable addresses), so  
that the runtime fingerprint generated by the FIPS Lab is the same as  
is generated each time the code runs.

The value of the FIPS fingerprint could be an example of the  
HCD_Certification_State value.

This is a concrete example of how we might think of the  
HCD_Certification_State attribute.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2433 bytes
Desc: not available
URL: <http://www.pwg.org/pipermail/ids/attachments/20090618/5b0315c4/attachment.p7s>

More information about the ids mailing list