couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <>
Subject Re: PBDK2 implementation specs
Date Tue, 09 Dec 2014 09:39:13 GMT

> On 08 Dec 2014, at 19:29 , Jason Winshell (Bear River) <> wrote:
> I think it would be wise for a second set of eyeballs to go over the FIPs document I
cited to verify FIPs compliance before updating CouchDB documentation. I've been working diligently
for some time to get CouchDB approved for specific federal government applications. Government
agencies, take IT security very seriously. Federal IT security reviews are compartmentalized
and the people that work in them don't have a lot of time or patience to pick apart unfamiliar
technologies on their own. Documentation that specifically identifies FIPS/NIST standards
is very helpful. There are a number of topics that need addressing: the user credential/authentication
model, network security, data encryption, data audit trails and cryptography. I'd be happy
to take continue the conversation on private channels.

Ah, I didn’t mean adding that CouchDB is FIPs compliant. I was thinking of the “SHA1 HMAC
is been used with derived key length of 160 bits long, salt - 128 bit, randomly generated.”
part from Alexander, so people can do this assessment without having to read the code :)

If we get some community activity around vetting that CouchDB is actually FIPS/NIST compliant,
that would be totally awesome. Is anyone up for that?


View raw message