Hi Simo,

Thanks for the clear response.

This is more in keeping with my understanding of the assurance process.

In short

FIPS evaluation only applies to the algorithms in scope. Generally something like Suite B
FIPS is only applicable to a particular instance ie binary or set of binaries.

That being said, in some environments you only need to demonstrate the use of specific cryptograhic operations which may be embodied by FIPS evaluation in which case it's a reasonable shortcut.

So than than shooting yourself in the foot it can make you life significantly simpler. Also most auditors don't really understand the more esoteric aspects of these processes and concentrate in things that the can understand.

However that lack of understanding is also a two edged sword. ;-)

-----Original Message-----

From: Simo Sorce via FreeIPA-users <freeipa-users@lists.fedorahosted.org>

Reply-To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>

To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>

Cc: Steve Reed <scottmreed@hotmail.com>, Simo Sorce <simo@redhat.com>

Subject: [Freeipa-users] Re: FreeIPA and FIPS

Date: Mon, 19 Apr 2021 17:08:04 -0400

Hi Steve,

On Mon, 2021-04-19 at 19:08 +0000, Steve Reed via FreeIPA-users wrote:

Hi Stephen,

True.  I understand that, but I think we are getting off track to my

original question.  Can you run a FIPS FreeIPA server and still have

the clients work with it?  It't not necessarily required to have the

clients FIPS compliant, but the server must since it has to do the

encryption for data that it stores.

Yes you can run a server in FIPS mode, and clients will generally talk

to it just fine. FIPS mode in RHEL simply reduces the set of available

algorithms,so clients have less to chose from but will work just fine.

The caveat is if you have non-RHEL clients that are either very old, or

somewhat "special", and support only a subset of (old/different)

algorithms that are not supported by the server in FIPs mode.

So the answer is generally "yes with some caveats".

Note that this caveats are also valid in general for running on RHEL

where we apply somewhat stringent crypto policies to avoid old and weak

protocols by default.

And I appreciate that everyone is trying to save me some time, but it

has been decided that we will use FIPS unless it proves not

beneficial.

Just a note for everyone looking at this thread.

FIPS mode can be used at any time without restriction, so you are

welcome to use it. Many chose to use FIPS mode to make sure only tested

and approved algorithms are used.

However, FIPS compliance is technically possible only with certified

modules. And Red Hat certifies exclusively RHEL binary builds (I know

because I do that). You can check the certificates on the CMVP website

and the related Security Policy documents for more details.

CentOS (or any other rebuild) builds are not covered by Red Hat

Certificates and I am not aware of anyone else certifying CentOS

binaries either.

Simo.

--

Simo Sorce

RHEL Crypto Team

Red Hat, Inc

_______________________________________________

FreeIPA-users mailing list --

freeipa-users@lists.fedorahosted.org

To unsubscribe send an email to

freeipa-users-leave@lists.fedorahosted.org

Fedora Code of Conduct:

https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines:

https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives:

https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Do not reply to spam on the list, report it:

https://pagure.io/fedora-infrastructure