<div dir="ltr"><div class="gmail_extra">Good question, I know issues around this have arisen before.</div><div class="gmail_extra"><br></div><div class="gmail_extra">I think the main points have been covered well already, for my part I will always lean toward the better supported or actively developed project.</div><div class="gmail_extra"><br></div><div class="gmail_extra">I understand the desire to look for FIPS 140-2 compliance, however I'd caution about this being the only deciding factor, it makes software development messy as only specific implementations can be validated. If you want to update code to make improvements etc you can need a whole re-validation. I'm not saying that FIPS 140-2 doesn't have value but I know of software projects that have used known-bad implementations that had certification rather use an updated version with no issues - (like I said, it gets messy).</div><div class="gmail_extra"><br></div><div class="gmail_extra">The OpenSSL guys wrote a good article on FIPS validation, how they tackled it and some of the impact etc [1]</div><div class="gmail_extra"><br></div><div class="gmail_extra">-Rob</div><div class="gmail_extra"><br></div><div class="gmail_extra">[1] <a href="https://www.openssl.org/docs/fipsnotes.html">https://www.openssl.org/docs/fipsnotes.html</a><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Nov 6, 2016 at 4:44 PM, Jeremy Stanley <span dir="ltr"><<a href="mailto:fungi@yuggoth.org" target="_blank">fungi@yuggoth.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">On 2016-11-06 14:59:03 +0000 (+0000), Jeremy Stanley wrote:<br>
> On 2016-11-06 08:05:51 +0000 (+0000), Steven Dake (stdake) wrote:<br>
</span>[...]<br>
<span class="gmail-">> > An orthogonal question I have received from one of our community<br>
> > members (Pavo on irc) is whether pycrypto (or if we move to<br>
> > cryptography) provide FIPS-140-2 compliance.<br>
><br>
> My understanding is that if you need, for example, a FIPS-compliant<br>
> AES implementation under the hood, then this is dependent more on<br>
> what backend libraries you're using... e.g.,<br>
> <a href="https://www.openssl.org/docs/fips.html" rel="noreferrer" target="_blank">https://www.openssl.org/docs/<wbr>fips.html</a><br>
> <a href="https://www.openssl.org/docs/fipsvalidation.html" rel="noreferrer" target="_blank">https://www.openssl.org/docs/<wbr>fipsvalidation.html</a><br>
<br>
</span>I should clarify, I was referring specifically to<br>
pyca/cryptography's OpenSSL backend. In contrast the pycrypto<br>
maintainers seem to have copied and forked a variety of algorithms<br>
(some of which seem to be based NIST/FIPS reference implementations<br>
for C or backports from bits of Py3K stdlib but have undergone<br>
subsequent modification), so very likely have not been put through<br>
any sort of direct compliance validation:<br>
<a href="https://github.com/dlitz/pycrypto/blob/master/src/AES.c" rel="noreferrer" target="_blank">https://github.com/dlitz/<wbr>pycrypto/blob/master/src/AES.c</a><br>
<a href="https://github.com/dlitz/pycrypto/blob/master/src/SHA512.c" rel="noreferrer" target="_blank">https://github.com/dlitz/<wbr>pycrypto/blob/master/src/<wbr>SHA512.c</a><br>
et cetera...<br>
<span class="gmail-HOEnZb"><font color="#888888">--<br>
Jeremy Stanley<br>
<br>
______________________________<wbr>______________________________<wbr>______________<br>
</font></span><span class="gmail-im gmail-HOEnZb">OpenStack Development Mailing List (not for usage questions)<br>
</span><div class="gmail-HOEnZb"><div class="gmail-h5">Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
</div></div></blockquote></div><br></div></div>