I am +1, but I am not familiar with the nuanced differences of these jars, so it'd be valuable to get other opinions, too.
I tried to understand why the default is the way it is, and it looks like Jia Zhai was involved in the initial work [0]. I see in the slack digest on our mailing list that there is an indication that we could make the FIPS version the default. Here are some relevant messages from the ML [1][2][3] > 2020-10-26 06:43:48 UTC - Anup Ghatage: I noticed that Pulsar doesn’t have > BouncyCastle FIPS switched on by default but the documentation leaves it up > to the implementers to choose. Is there any specific reason for this? I thought BC-FIPS comes with the usual BouncyCastle stuff + FIPS compliance (which would be a good thing) right? > 2020-10-26 08:37:13 UTC - Sijie Guo: @jia zhai would have a better answer for > it. > 2020-10-26 12:59:16 UTC - jia zhai: @Sijie Guo @Anup Ghatage right, there is > no specific reason for this. It seems be more related to the project > building, we may need to config the profile to build different bc type. but > this seems a little hard in maven:joy:. It would be helpful, if anyone would like to contribute to this feature. > 2020-10-26 16:31:57 UTC - Anup Ghatage: I’m thinking why not keep it on by > default? There aren’t any API differences for the most part. That way Pulsar > will be FIPS compliant all the time. > 2020-10-28 01:53:06 UTC - jia zhai: we could consider that in the future. > current way is to align with the old manner. usually user will provide their > own security jars, such as BouncyCastle, and non-fips version maybe used in a > more wide range. Also, do we need to update our cryptography notice on our README about our bouncy castle usage [4] if we make this the default? Thanks, Michael [0] https://github.com/apache/pulsar/pull/6588 [1] https://lists.apache.org/thread/fln8o94t0gxnd54fr7tn4hrjp23mj48r [2] https://lists.apache.org/thread/xmrhyo1fkdhm4l9xz0t66yk5pk5g5f6p [3] https://lists.apache.org/thread/fs8rx620oq7q7px1mqs3k7qdoz3oz0s4 [4] https://github.com/apache/pulsar#crypto-notice On Wed, Feb 22, 2023 at 7:56 AM Zixuan Liu <node...@gmail.com> wrote: > > > 1. What is FIPS? > > FIPS (Federal Information Processing Standards) are a set of standards that > describe document processing, encryption algorithms and other information > technology standards for use within non-military government agencies and by > government contractors and vendors who work with the agencies. > > > 2. Why is the FIPS version safer exactly? > > FIPS standard is strict. When using the FIPS version, this is also very > strict and standard. > > > 3. What is bouncycastle used exactly in Pulsar? > > We use the bouncycastle as the TLS provider, and used for the end-to-end > message encryption. > > Thanks, > Zixuan > > Asaf Mesika <asaf.mes...@gmail.com> 于2023年2月22日周三 21:23写道: > > > Can you elaborate a bit: > > 1. What is FIPS? > > 2. Why is the FIPS version safer exactly? > > 3. What is bouncycastle used exactly in Pulsar? > > > > > > > > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <node...@gmail.com> wrote: > > > > > Hi all, > > > > > > I would like to discuss using the bouncycastle fips instead of the > > > bouncycastle non-fips. > > > > > > The bouncycastle is a Java library that complements the default Java > > > Cryptographic Extension (JCE), which has two versions: fips version and > > > non-fips version. > > > > > > The fips version is safer than non-fips. When the security level is very > > > high, many policies require the fips version, but the Pulsar default uses > > > the non-fips version. Switch this is complex, because > > > the `pulsar-client-messagecrypto-bc` module and root project depends on > > the > > > non-fips, so I suggest we switch to fips version from non-fips. > > > > > > Reference: > > > - https://www.bouncycastle.org/ > > > - https://www.bouncycastle.org/fips_faq.html > > > - https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards > > > > > > Thanks, > > > Zixuan > > > > >
