On Mon, 19 Apr 2021 at 11:33, Steve Reed via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hi Rob,
So, are you saying that CENTOS is not FIPS compliant? Because there is a
long list of web sites that state that CENTOS and RHEL are FIPS 140-2
compliant.
He is talking about certification and you are talking about compliance.
They are very different things. Compliance is up to the auditor to say if
it meets or does not meet 'compliance'. You can go from auditor A to
auditor B and find your entire compliance removed. Certification is a step
above that because it is meant to be a 'trump' in auditing [not always but
close enough.]
Certification is usually very specific to a particular version of the OS
which has gone through a long certification process. Certification is not
transferable from RHEL to CentOS (depending on the certification it is not
even transferable from version to version of RHEL. Each update has to go
back to the certification authority to confirm it does not lose
certification.
--
Stephen J Smoogen.