Open Stack

Apparently Paul's email didn't make it through, so I'm forwarding it
to y'all since it pertinent information.

-----Original Message-----
From: Paul Kehrer <paul.kehrer at rackspace.com>
Reply: Paul Kehrer <paul.kehrer at rackspace.com>
Date: November 8, 2016 at 23:39:32
To: Ian Cordasco <sigmavirus24 at gmail.com>, OpenStack Development
Mailing List (not for usage questions)
<openstack-dev at lists.openstack.org>
Subject:  Re: [openstack-dev] [requirements][kolla][security] pycrypto
vs cryptography

> Cryptography will build just fine against a FIPS OpenSSL (1.0.0 or newer, although we’re
> in the process of dropping < 1.0.1 support in the next several months). It is a supported
> configuration, but enabling FIPS mode (if it’s not on by default) is not something cryptography
> currently exposes (FIPS_mode_set). Rob and Ian’s points about the value of FIPS are
> generally in line with my own opinions. In the absence of an audit requirement I’d recommend
> looking for well-vetted and widely used libraries above trying to meet a specific compliance
> regime.
>
> -Paul
>
> On 11/9/16, 5:11 AM, "Ian Cordasco" wrote:
>
> -----Original Message-----
> From: Rob C
> Reply: OpenStack Development Mailing List (not for usage questions)
>
> Date: November 7, 2016 at 07:39:57
> To: OpenStack Development Mailing List (not for usage questions)
>
> Subject: Re: [openstack-dev] [requirements][kolla][security] pycrypto
> vs cryptography
>
> > Good question, I know issues around this have arisen before.
> >
> > I think the main points have been covered well already, for my part I will
> > always lean toward the better supported or actively developed project.
>
> At this point PyCrypto actively tells users that it's not supported or
> developed. They've been pushing people towards Cryptogrpahy.
>
> > I understand the desire to look for FIPS 140-2 compliance, however I'd
> > caution about this being the only deciding factor, it makes software
> > development messy as only specific implementations can be validated. If you
> > want to update code to make improvements etc you can need a whole
> > re-validation. I'm not saying that FIPS 140-2 doesn't have value but I know
> > of software projects that have used known-bad implementations that had
> > certification rather use an updated version with no issues - (like I said,
> > it gets messy).
> >
> > The OpenSSL guys wrote a good article on FIPS validation, how they tackled
> > it and some of the impact etc [1]
> >
> > -Rob
> >
> > [1] https://www.openssl.org/docs/fipsnotes.html
>
> I would strongly suggest you read Rob's link. It's very enlightening
> to know why, while FIPS may be a requirement, it's not necessarily
> beneficial from a security standpoint. It's also ridiculously
> expensive and restrictive.
>
> I've CC'd one of the lead developers from the Cryptography project to
> comment on this. I would hazard a guess that one could compile
> Cryptography against a version of OpenSSL that is FIPS compliant, but
> I doubt it'll be considered supported. I know Cryptography recently
> dropped support for a few older versions of OpenSSL, and to work with
> that you'd have to stick to an older version of Cryptography.
>
> Can I ask why FIPS compliance is a requirement for Kolla? This seems
> like an odd request for a deployment project.
>
> > On Sun, Nov 6, 2016 at 4:44 PM, Jeremy Stanley wrote:
> >
> > > On 2016-11-06 14:59:03 +0000 (+0000), Jeremy Stanley wrote:
> > > > On 2016-11-06 08:05:51 +0000 (+0000), Steven Dake (stdake) wrote:
> > > [...]
> > > > > An orthogonal question I have received from one of our community
> > > > > members (Pavo on irc) is whether pycrypto (or if we move to
> > > > > cryptography) provide FIPS-140-2 compliance.
> > > >
> > > > My understanding is that if you need, for example, a FIPS-compliant
> > > > AES implementation under the hood, then this is dependent more on
> > > > what backend libraries you're using... e.g.,
> > > > https://www.openssl.org/docs/fips.html
> > > > https://www.openssl.org/docs/fipsvalidation.html
>
> --
> Ian Cordasco
>
>
>

--
Ian Cordasco