Subject: Policy-Discussion
List archive
- From: "Kyle Hamilton" <aerowolf AT gmail.com>
- To: Policy-Discussion <cacert-policy AT lists.cacert.org>
- Subject: Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification
- Date: Mon, 20 Feb 2006 04:51:38 -0700
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=JJOD7MWzBq5AfA3/wPgSoGszli88d0iaNaEV1KEXqUAs+kwRAo+9UeFWa2rAIEYXTn9rgs97j/ZlXaOTWcGRXJaCjMuL0/T2qrtxcVsTe1gBZmDw5FvvcYotNTLKvlNvNCrunum5iT/Y+KcGoWLt7Z3mycUV4slIbiMZeT6YiEo=
- List-archive: <http://lists.cacert.org/cgi-bin/mailman/private/cacert-policy>
- List-id: Policy-Discussion <cacert-policy.lists.cacert.org>
At this point, everything relies upon OpenSSL, which has not yet
released a FIPS-140-2 compliant module. I believe the keys are stored
encrypted on the drive, which has a physical access control as well as
logical access control.
At this point, FIPS-140-2 certification has not been achieved by
CAcert (to the best of my knowledge; if I am wrong, please correct
me). At such time as it is, if it is based on OpenSSL's FIPS code
base, it will be (at best) level 1; if it relies on OpenSSL's ENGINE
capability, it depends on the certification of the hardware used, and
how it is used. (In any case, the certification for the cryptographic
module does not carry itself out to the entire implementation which
uses the cryptographic module; the implementation must be certified
independently of the module, though the use of a secure module makes
things a lot quicker.)
-Kyle H
On 2/20/06,
Lambert.Hofstra AT ins.com
<Lambert.Hofstra AT ins.com>
wrote:
> > This makes me wonder if it would be possible to have a key generator
> > somewhere that would split it into a 2/4 share scheme before ever
> > letting it leave the box -- preferably one that would do all the
> > encryption necessary to send via S/MIME to each of the employees, as
> > well as talking to the SMTP server to do so.
> >
> > Just musing...
> >
> > -Kyle H
>
> FIPS 140-2 requires for level 3 and 4 that keys can only be exported in
> such a way ("Secret and private keys established using manual methods
> shall be entered or output encrypted or with split knowledge
> procedures.", see
> http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf )
>
> Most devices support both n out of m, or n-components mechanisms.
>
> This makes me wonder: what is the security level of the cryptographic
> hardware in use at CAcert?
>
> Lambert Hofstra
>
>
> > _______________________________________________
> > Have you subscribed to our RSS News Feed yet?
> >
> > CAcert-Policy mailing list
> > CAcert-Policy AT lists.cacert.org
> > http://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-policy
> _______________________________________________
> Have you subscribed to our RSS News Feed yet?
>
> CAcert-Policy mailing list
> CAcert-Policy AT lists.cacert.org
> http://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-policy
>
- [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Philipp Gühring, 02/18/2006
- <Possible follow-up(s)>
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Philipp Gühring, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Philipp Gühring, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Ian G, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Philipp Gühring, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/20/2006
- RE: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Lambert.Hofstra, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/20/2006
- RE: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Peter Williams, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Duane, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/21/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Duane, 02/21/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Philipp Gühring, 02/21/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Ian G, 02/21/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Philipp Gühring, 02/21/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Duane, 02/21/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/21/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Duane, 02/20/2006
- RE: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Lambert.Hofstra, 02/20/2006
- RE: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Lambert.Hofstra, 02/20/2006
- RE: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Lambert.Hofstra, 02/20/2006
- RE: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Lambert.Hofstra, 02/20/2006
Archive powered by MHonArc 2.6.16.