Dimitri John Ledkov
Dimitri John Ledkov
Note it is always best to read [FIPS 140-3 IG](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf) - Latest version bit on https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-ig-announcements as it is continiously updated with questions and answers stating what is no longer...
> FIPS186-4 is Signatures. You refer to DSA above. > DH is KAS SP800-56A. > > They share FFC.. But one doesn't imply the other. > > e.g. Sp800-56A Section...
> [8] Even after the transition date, DSA Key Gen and DSA PQG Gen tests are still permitted only for legacy purposes as part of an approved SP 800-56Arev3 FFC...
https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf Has verbose answer C.K. pages 128-130 that addresses how to resolve this conflict. And dates what they will and will not accept. It's very narrow scope.
https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation-search?searchMode=implementation&product=Openssl&productType=-1&algorithm=87&ipp=25 I am not sure if I am doing the correct search but I think one can find which algorithms were tested by whom. And this is the list of...
"would still be allowed for legacy purposes" how to signal legacy purposes? do we need something like "fips-legacy-purpose" service indicator? Note that over lifetime of the module, meaning of "fips-legacy-purpose"...
Slightly confused as to what indicator to even raise here, or why would it be a configure time option. Cause raising fips-approved/fips-unapproved is not right here. Raising "fips-legacy-use" makes no...
Alternative implementation proposed in https://github.com/openssl/openssl/pull/25720 which adds a compile time option to opt-out of FIPS 186-4 type parameters in the FIPS module. Which imho is cleaner. Thinking about an indicator...
Argocd upstream => due to inability to resolve branches of the pseudoversion can you please consider tagging v0.7.2 in argoproj/gitops-engine project master branches, such that once enough things upgrade to...
Wait tag v0.7.2 would be too low. It likely needs to be v0.7.4.11,v0.7.4.12, v0.7.4.13, v0.7.4.14, v0.7.4.15 on each of the release branches at the commits that fixed the CVE. Then...