[openstack-dev] [Openstack-operators] FIPS Compliance

Luke Hinds lhinds at redhat.com
Tue Nov 6 14:12:29 UTC 2018


On Tue, Nov 6, 2018 at 2:04 PM Julia Kreger <juliaashleykreger at gmail.com>
wrote:

>
>
> On Tue, Nov 6, 2018 at 5:07 AM Doug Hellmann <doug at doughellmann.com>
> wrote:
>
>> Sean McGinnis <sean.mcginnis at gmx.com> writes:
>>
>> > I'm interested in some feedback from the community, particularly those
>> running
>> > OpenStack deployments, as to whether FIPS compliance [0][1] is
>> something folks
>> > are looking for.
>> [trim]
>>
>> I know we've had some interest in it at different times. I think some of
>> the changes will end up being backwards-incompatible, so we may need a
>> "FIPS-mode" configuration flag for those, but in other places we could
>> just switch hashing algorithms and be fine.
>>
>> I'm not sure if anyone has put together the details of what would be
>> needed to update each project, but this feels like it could be a
>> candidate for a goal for a future cycle once we have that information
>> and can assess the level of effort.
>>
>> Doug
>>
>>
> +1 to a FIPS-mode. I think it would be fair to ask projects, to over the
> course of the next month or three, to evaluate their current standing and
> report what they perceive the effort to be.
>
> I think only then we can really determine if it is the right direction to
> take for a cycle goal.
>
> -Julia
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>


Understand it's early to be discussing design, but would like to get it on
record  that if we can, we should try to use 'Algorithm Agility' rather
then all moving to the next one up and setting to SHA<XXX>. That way we can
deal with what might seem unfathomable now, happening later (strong cryptos
getting cracked).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20181106/e2c425a7/attachment.html>


More information about the OpenStack-dev mailing list