Stephen John Smoogen <smo...@gmail.com> writes: > On Mon, 8 Nov 2021 at 04:32, Michael Schroeder <m...@suse.de> wrote: >> >> On Sat, Nov 06, 2021 at 07:43:02AM -0000, Daniel Alley wrote: >> > Another issue - which is not per-se a security issue but it's still a >> > problem - is that deltarpm uses md5 checksums pervasively. They're >> > everywhere. And it uses its own implementation of md5 which doesn't >> > respect FIPS, so even when the user has *explicitly* configured their >> > system to not use md5 for anything security-relevant, libdeltarpm won't >> > know or care. >> >> They are used as a consistency check, it might as well use crc32. >> So I don't see why FIPS is a concern for you. >> > > In order to get the overall system to be FIPS (and equivalent EU/RU/CN > ones) certified all the implementations of various functions have to > be audited and reviewed. Some must be able to be turned off no matter > what. It doesn't matter if 99 of the 100 versions of md5um are only > for consistency, they must be able to be turned off/not used and not > affect the system.
I don't think that's quite accuroate. If the crypto primitive isn't being used for security, then FIPS isn't interested - FIPS is only certifying the cryptography used, and this isn't it. (It's non-FIPS relevant.) This leads to a very common workaround for legacy cryptosystems of tunneling the "bad" crypto in something else: one example is interacting with RC4 and NTLM, where they're still used but over a tunnel (TLS, VPN, etc.) that doesn't expose them. Be well, --Robbie
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
