[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: FIPS-140 required?

To: <dan_york@xxxxxxxxx>, "'Cullen Jennings'" <fluffy@xxxxxxxxx>
Subject: RE: FIPS-140 required?
From: "Dan Wing" <dwing@xxxxxxxxx>
Date: Mon, 5 Feb 2007 14:09:23 -0800
Authentication-results: sj-dkim-6; header.From=dwing@xxxxxxxxx; dkim=pass (s ig from cisco.com/sjdkim6002 verified; );
Cc: <ietf-rtpsec@xxxxxxx>
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=3479; t=1170713359; x=1171577359; c=relaxed/simple; s=sjdkim6002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@xxxxxxxxx; z=From:=20=22Dan=20Wing=22=20<dwing@xxxxxxxxx> |Subject:=20RE=3A=20FIPS-140=20required? |Sender:=20; bh=Yw2YNeCHd7kkr53yAqguoZTo4VX6wJ11NK+7IBKrWbI=; b=d0dFnyodTPFU730+9daSuleqgyV8jKPjiivpq6QoSjktN514Yu5qT9Bm6EtTK11ygVUaz3iG rcZjrZMur137G0iPhOzTz1PLrdYGZOLA/M312Ulr22g3VIBscV88tXSU;
In-reply-to: <OF4CA68AF7.59F3B6DE-ON85257279.0002274B-85257279.00033872@xxxxxxxxx>
List-archive: <http://www.imc.org/ietf-rtpsec/mail-archive/>
List-id: <ietf-rtpsec.imc.org>
List-unsubscribe: <mailto:ietf-rtpsec-request@imc.org?body=unsubscribe>
Sender: owner-ietf-rtpsec@xxxxxxxxxxxx
Thread-index: AcdIvYiIwOFLqSQLTLSfz99Y38aXrQAs5cMg

Dan York wrote: 

> Yes, we are occasionally seeing RFPs that state a FIPS-140 
> requirement for any encryption, including that of SRTP.  They 
> are typically from government or occasionally financial institutions. 

Ok.

>   (with my guy who works at Mitel hat) 
> 
> I am assuming this is probably true, but I want to just state 
> it so that it's out in the open -  I'm not entirely sure why 
> you are asking, Dan,

Here is the approximate text that I am considering to add to
draft-wing-media-security-requirements:

   The United States Government can only purchase and use crypto
   implementations that have been validated by the FIPS-140 [FIPS-140-2]
   process:

      "This standard [FIPS-140] is applicable to all Federal agencies
      that use cryptographic-based security systems to protect sensitive
      information in computer and telecommunication systems (including
      voice systems) ...  The adoption and use of this standard is
      available to private and commercial organizations."[cryptval]

   Some commercial organizations, such as banks and defense contractors,
   also require or prefer equipment which has validated by the FIPS-140
   process.

and a new requirement:

   A solution SHOULD use algorithms that allow FIPS 140-2
   certification.

> but I would certainly NOT want to see 
> any changes to SRTP RFCs or other documents that made 
> FIPS-140 certification either a requirement or a default for 
> SRTP.  I would like to see (and believe you do too) SRTP 
> adopted widely and would not want to set up barriers that 
> might get in the way of a startup or other companies 
> implementing SRTP (or using it as an excuse for why they can 
> NOT implement SRTP).  There's also the wee little detail that 
> FIPS is only a US government standard (although various other 
> countries do follow it). 

Yes, FIPS-140 is a US Government standard, but I don't 
understand the concern.  For example, FIPS-140, today, allows 
a module that implements IPsec to pass FIPS certification; this 
does not mean IPsec is somehow evil or has weak security.

> Again, I'm assuming you are not doing this, but with such a 
> cryptic question, I thought I'd just state that to be clear. 

Ok, so you want to build equipment that can be FIPS compliant
and you want to build different equipment that was cannot be
FIPS compliant?  It'd be a mistake to choose an Internet 
key exchange mechanism that, for example, did something that
made it impossible to pass FIPS certification.

-d


>   (with my guy who works with VOIPSA and wants to help 
> encourage better VoIP security throughout the industry hat) 
> 
> Dan-who-has-too-many-hats 
> 
> -- 
> Dan York, CISSP
> Dir of IP Technology, Office of the CTO
> Mitel Corp.     http://www.mitel.com
> dan_york@xxxxxxxxx +1-613-592-2122
> PGP key (F7E3C3B4) available for 
> secure communication
> 
> 
> 
> 
> 
> 	Cullen Jennings <fluffy@xxxxxxxxx> 
> Sent by: owner-ietf-rtpsec@xxxxxxxxxxxx 
> 
> 02/04/2007 11:36 AM         
>         To:        Dan Wing <dwing@xxxxxxxxx> 
>         cc:        <ietf-rtpsec@xxxxxxx> 
>         Subject:        Re: FIPS-140 required?
> 
> 
> 
> 
> 
> On Jan 26, 2007, at 2:54 PM, Dan Wing wrote:
> 
> >
> > Is anyone seeing a requirement for FIPS-140 for products that  
> > implement
> > SRTP?
> 
> 
> Yes
> 
> (with my guy who works at cisco hat:-)
> 
> 
> 
>

Follow-Ups:
- Re: FIPS-140 required?
  - From: Spencer Dawkins
- RE: FIPS-140 required?
  - From: dan_york

References:
- Re: FIPS-140 required?
  - From: dan_york

Prev by Date: RE: RTPSec BOF proposal for IETF 68
Next by Date: RE: Early and late rogue RTP packets
Previous by thread: Re: FIPS-140 required?
Next by thread: RE: FIPS-140 required?
Index(es):
- Date
- Thread