[bind10-dev] BIND10 in FIPS 140-2 environment
Francis Dupont
fdupont at isc.org
Mon Mar 25 16:24:29 UTC 2013
> > => BTW I already did this (OpenSSL based cryptolink) but more as a proof
> > of concept than for production. My current proposal is to use PKCS#11
> > directly in cryptolink, so it will work with HSMs and with the
> > new SoftHSMv2 which supports both Botan and OpenSSL backends.
>
> If BIND10 will use SoftHSMv2 linked against OpenSSL, I think it's
> absolutely OK (i.e. SoftHSM will act as PKCS#11 wrapper around
> openssl).
=> in fact IMHO it is not because I don't know if SoftHSMv2 can link
against the certified OpenSSL module (it should but this must be
checked) and the FIPS mode should be accessible (the -F of bind 9).
BTW for a real HSM it is a configuration flag. Another point
which should be checked. Anyway both points could be fixed in
SoftHSMv2 if needed, so the amount of effort is nothing compared
to get Botan FIPS 140-2 certified for instance.
> > => there was no decision today (nor an official announce for SoftHSMv2)
> > but my proposal should work with FIPS 140-2 level > 1 environments
> > (any certified software can be only level 1 by definition).
> > If things are the same in USA as they are in France, only the hardware
> > can be trusted so direct PKCS#11 support solves both the HSM and
> > the FIPS 140-2 questions in the best possible way (:-)!
>
> Yes, direct PKCS#11 calls seems like the best approach for me.
=> I was sure you'd like this idea (:-)!
> > PS: I did the work for bind 9 (OpenSSL certified module, removed MD5
> > dependencies, added a hook to go in FIPS mode, etc) but as nobody
> > who understood really what is FIPS 140-2 asked for it it never was
> > a candidate for becoming a product. In fact I believed the only FIPS
> > related detail in current bind 9 code is the -F argument flag is
> > reserved in all commands...
>
> In my opinion this is not needed. It's enough to instruct operating
> system to run in FIPS mode and all non-FIPS stuff (like uncertified
> or weak algorithms) are disabled directly in openssl so every call
> of the unsupported stuff fails .
=> it is in the requirements for applications using the
certified OpenSSL code and not something hard to add.
As I don't understand the operating system in your comment perhaps
it is particular to the certified module provided by OpenSSL
itself (cf User Guide 2.0 section 5.2 aka FIPS_mode_set()).
Regards
Francis Dupont <fdupont at isc.org>
More information about the bind10-dev
mailing list