[IDS] 6/18 teleconference call minutes

[IDS] 6/18 teleconference call minutes

[IDS] 6/18 teleconference call minutes

Farrell, Lee Lee.Farrell at cda.canon.com
Fri Jun 19 21:16:40 UTC 2009


Hi Randy,

I think the concern from mike fenelon was not so much about what kind of
values might be used for the certification state -- but how a validator
might know how to parse and interpret it.  He seemed to be concerned
that different vendors --and different products -- would/could use very
different values and encodings.

Of course, mike would be the right one to elaborate.

lee

> -----Original Message-----
> From: ids-bounces at pwg.org [mailto:ids-bounces at pwg.org] On 
> Behalf Of Randy Turner
> Sent: Thursday, June 18, 2009 5:14 PM
> To: ids at pwg.org
> Subject: [IDS] 6/18 teleconference call minutes
> 
> 
> Hi All,
> 
> I noticed in the meeting minutes from the 6/18 teleconference 
> that there was a discussion on vendor-specific attributes - 
> these are definitely handled by a vendor-specific plug-in, 
> however, in the case of the attribute 
> HCD_Certification_State, we may can draw on how the OpenSSL 
> project handles a similar value.
> 
> For FIPS 140-2 certification, a specific version of source 
> code was submitted, including instructions for how to build a 
> "FIPS" version of the codebase.
> 
> In addition, a SHA-1 fingerprint for this specific set of 
> source code is generated - source code fingerprints are 
> fairly common for security- related open source projects.
> 
> In addition, during the build process, the individual object 
> files are fingerprinted as well.
> 
> There is an additional integrity check performed at runtime.
> 
> So there is a source-level, link-time, and runtime 
> verification performed to make sure that the code that is 
> compiled, built, and run, is the exact same code that was 
> certified by the FIPS laboratory.
> 
> The runtime check is made by the code calling 
> fips_mode_set(), and the compiler/build-system must be able 
> to order the OpenSSL FIPS code always in the same order (with 
> respect to relocatable addresses), so that the runtime 
> fingerprint generated by the FIPS Lab is the same as is 
> generated each time the code runs.
> 
> The value of the FIPS fingerprint could be an example of the 
> HCD_Certification_State value.
> 
> This is a concrete example of how we might think of the 
> HCD_Certification_State attribute.
> 
> Comments?
> 
> Randy
> 
> 
> 
> 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the ids mailing list