On Mon, Feb 27, 2023 at 4:35 PM Zixuan Liu <node...@gmail.com> wrote:
> > users might get exceptions if they don't use specific algorithms or > encryption schemes? > > Could you share more info about this? > Actually I was expecting that part of the discussion will specify the difference between using FIPS compared with non-FIPS, in each BouncyCastle usage: TLS and message encryption. I imagined that FIPS has a shorter list of ciphers it supports. > Asaf Mesika <asaf.mes...@gmail.com> 于2023年2月27日周一 18:01写道: > > > So if I understand you correctly, once you switch to the FIPS version of > > Bouncy Castle, users might get exceptions if they don't use specific > > algorithms or encryption schemes? > > Potentially a breaking change? > > You can't switch it off via config? > > > > On Wed, Feb 22, 2023 at 3:56 PM Zixuan Liu <node...@gmail.com> wrote: > > > > > > 1. What is FIPS? > > > > > > FIPS (Federal Information Processing Standards) are a set of standards > > that > > > describe document processing, encryption algorithms and other > information > > > technology standards for use within non-military government agencies > and > > by > > > government contractors and vendors who work with the agencies. > > > > > > > 2. Why is the FIPS version safer exactly? > > > > > > FIPS standard is strict. When using the FIPS version, this is also very > > > strict and standard. > > > > > > > 3. What is bouncycastle used exactly in Pulsar? > > > > > > We use the bouncycastle as the TLS provider, and used for the > end-to-end > > > message encryption. > > > > > > Thanks, > > > Zixuan > > > > > > Asaf Mesika <asaf.mes...@gmail.com> 于2023年2月22日周三 21:23写道: > > > > > > > Can you elaborate a bit: > > > > 1. What is FIPS? > > > > 2. Why is the FIPS version safer exactly? > > > > 3. What is bouncycastle used exactly in Pulsar? > > > > > > > > > > > > > > > > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu <node...@gmail.com> > wrote: > > > > > > > > > Hi all, > > > > > > > > > > I would like to discuss using the bouncycastle fips instead of the > > > > > bouncycastle non-fips. > > > > > > > > > > The bouncycastle is a Java library that complements the default > Java > > > > > Cryptographic Extension (JCE), which has two versions: fips version > > and > > > > > non-fips version. > > > > > > > > > > The fips version is safer than non-fips. When the security level is > > > very > > > > > high, many policies require the fips version, but the Pulsar > default > > > uses > > > > > the non-fips version. Switch this is complex, because > > > > > the `pulsar-client-messagecrypto-bc` module and root project > depends > > on > > > > the > > > > > non-fips, so I suggest we switch to fips version from non-fips. > > > > > > > > > > Reference: > > > > > - https://www.bouncycastle.org/ > > > > > - https://www.bouncycastle.org/fips_faq.html > > > > > - > > > https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards > > > > > > > > > > Thanks, > > > > > Zixuan > > > > > > > > > > > > > > >
