tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: Is Tomcat5.0 FIPS compliant?
Date Mon, 14 Jan 2008 14:01:16 GMT
robingandhi21 wrote:
> 
> Info regarding FIPS is:The Federal Information Processing Standard 140-1
> (FIPS 140-1) and its successor FIPS 140-2 are United States Government
> standards that provide a benchmark for implementing cryptographic software.
> They specify best practices for implementing crypto algorithms, handling key
> material and data buffers, and working with the operating system.

It's a boolean, a certificate is issued or it's not.

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm

demonstrates one provider, IBM JSSE 1.1 operating in FIPS mode, that
has that FIPS-140-2 certification, along with a host of hardware
solutions.  I didn't see any other JSSE provider, but didn't read it
that closely for you.

Tomcat doesn't implement cryptography but consumes a crypto provider,
so you have to look at the underlying components, or configure a
solution leveraging FIPS certified hardware, which is why your post
didn't garner much attention from Tomcat devs.

Bill

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message