This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[COMMITTED] v2: manual/crypt.texi: Mention FIPS 140-2 compliance and Secure RPC.
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: libc-alpha at sourceware dot org, Roland McGrath <roland at hack dot frob dot com>
- Date: Sat, 19 Oct 2013 00:14:48 -0400
- Subject: [COMMITTED] v2: manual/crypt.texi: Mention FIPS 140-2 compliance and Secure RPC.
- Authentication-results: sourceware.org; auth=none
- References: <524CDC85 dot 5080000 at redhat dot com> <20131003195345 dot B942E2C070 at topped-with-meat dot com> <524DD9CE dot 1010004 at redhat dot com>
On 10/03/2013 04:55 PM, Carlos O'Donell wrote:
> On 10/03/2013 03:53 PM, Roland McGrath wrote:
>>> +@cindex AUTH_DES
>>
>> @vindex for an identifier.
>
> Fixed.
>
>>> +@cindex FIPS 140-2
>>> It also provides support for Secure RPC, and some library functions that
>>> -can be used to perform normal DES encryption.
>>> +can be used to perform normal DES encryption. The use of DES when
>>> +using @code{AUTH_DES} in Secure RPC for authentication as provided by
>>> +@theglibc{} is not FIPS 140-2 compliant nor is any other use of DES
>>> +within @theglibc{}. It is recommended that Secure RPC should not be used
>>> +for systems that need to be FIPS 140-2 compliant since all forms of
>>> +supported authentication use normal DES.
>>
>> Two spaces between sentences. "is not FIPS 140-2 compliant" is a bit
>> awkward, especially since to my eye it should be "blah-compliant" rather
>> than "blah compliant". I think "does not comply with FIPS 140-2" works
>> better (and "need to comply with FIPS 140-2" later).
>
> It's `blah-compliant' if it is a compound adjective modifying a noun
> e.g. FIPS 140-2-compliant cryptography. The same rules apply for
> command-line vs. command line.
>
> In this case I was specifically talking about compliance without modifying
> a noun. However your recommendation is better than the original wording.
>
> Better?
>
> v2
> - Use @vindex for AUTH_DES
> - Two spaces between sentences.
> - Rewrote awkward sentence structure.
> - Looked up what ONC+ calls AUTH_DES and it says "authentication flavor"
> therefore use "flavor".
>
> 2013-10-03 Carlos O'Donell <carlos@redhat.com>
>
> * manual/crypt.texi (Cryptographic Functions): Using SunRPC and
> AUTH_DES will prevent FIPS 140-2 compliance. Add vindex for
> AUTH_DES and cindex for FIPS 140-2.
> (DES Encryption): Add cindex FIPS 46-3.
>
> diff --git a/manual/crypt.texi b/manual/crypt.texi
> index ef90590..5423c05 100644
> --- a/manual/crypt.texi
> +++ b/manual/crypt.texi
> @@ -30,8 +30,15 @@ message-digest algorithm that is compatible with modern BSD systems,
> and the other based on the Data Encryption Standard (DES) that is
> compatible with Unix systems.
>
> +@vindex AUTH_DES
> +@cindex FIPS 140-2
> It also provides support for Secure RPC, and some library functions that
> -can be used to perform normal DES encryption.
> +can be used to perform normal DES encryption. The @code{AUTH_DES}
> +authentication flavor in Secure RPC, as provided by @theglibc{},
> +uses DES and does not comply with FIPS 140-2 nor does any other use of DES
> +within @theglibc{}. It is recommended that Secure RPC should not be used
> +for systems that need to comply with FIPS 140-2 since all flavors of
> +encrypted authentication use normal DES.
>
> @menu
> * Legal Problems:: This software can get you locked up, or worse.
> @@ -203,6 +210,7 @@ header @file{crypt.h}.
> @node DES Encryption
> @section DES Encryption
>
> +@cindex FIPS 46-3
> The Data Encryption Standard is described in the US Government Federal
> Information Processing Standards (FIPS) 46-3 published by the National
> Institute of Standards and Technology. The DES has been very thoroughly
I've gone ahead and committed v2 since I think it resolves
your review comments, is better than what I started with,
and fixes the issue at hand with FIPS compliance questions.
I'm more than happy to do another round of edits before 2.19
goes out the door, but I think this is good.
Cheers,
Carlos.