OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Fwd: Re: [pkcs11] Validation constants in KMIP


Oops, I meant this to go to tim and the mailing list, not just to tim.

-------- Forwarded Message --------
Subject: Re: [pkcs11] Validation constants in KMIP
Date: Wed, 20 Apr 2022 09:06:49 -0700
From: Robert Relyea <rrelyea@redhat.com>
To: Tim Hudson <tjh@cryptsoft.com>


On 4/19/22 3:29 PM, Tim Hudson wrote:
On Wed, Apr 20, 2022 at 8:17 AM Robert Relyea <rrelyea@redhat.com> wrote:
On 4/19/22 2:53 PM, Tim Hudson wrote:
KMIP details below.

Thanks Type. Validation type is different than I thought. I thought it would indication FIPS-140 versus some other NIST validation. So what would be the values for FIPS-140-2 level 1, and FIPS-140-3 level2 ?

bob


Authority Type is the program authority - which is the specific program that is providing validations.
We expect to add other programs on request - i.e. define additional enumerations.
Like PKCS#11, KMIP also has extension encoding options for vendor-specific/private enumeration values.

So NIST CMVP == FIPS 140. NIST also has have validations, but those are covered under CMVP or are portions that become part of the FIPS-140 validation (algorithms validations, rng validations etc.).

I'm OK with that, but it means we can't mark a rng validation outside of a full FIPS validation.

bob


FIPS 140-2 level 1

   <ValidationInformation>
    <ValidationAuthorityType type="Enumeration" value="NISTCMVP"/>
    <ValidationAuthorityCountry type="TextString" value="US"/>
    <ValidationAuthorityURI type="TextString" value="http://csrc.nist.gov/groups/STM/cmvp/"/>
    <ValidationVersionMajor type="Integer" value="2"/>
    <ValidationType type="Enumeration" value="Software"/>
    <ValidationLevel type="Integer" value="1"/>
    <ValidationCertificateIdentifier type="TextString" value="1747"/>
    <ValidationCertificateURI type="TextString" value="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2012.htm#1747"/>
   </ValidationInformation>

FIPS 140-3 level 2

   <ValidationInformation>
    <ValidationAuthorityType type="Enumeration" value="NISTCMVP"/>
    <ValidationAuthorityCountry type="TextString" value="US"/>
    <ValidationAuthorityURI type="TextString" value="http://csrc.nist.gov/groups/STM/cmvp/"/>
    <ValidationVersionMajor type="Integer" value="3"/>
    <ValidationType type="Enumeration" value="Software"/>
    <ValidationLevel type="Integer" value="2"/>
    <ValidationCertificateIdentifier type="TextString" value="1747"/>
    <ValidationCertificateURI type="TextString" value="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2012.htm#1747"/>
   </ValidationInformation>

Note that NIST has changed its URLs since those examples were written.


Thanks, I'll probably include these examples as samples inside the documentation. FIPS is a big enough case to feature an examle.

bob


https://csrc.nist.gov/projects/cryptographic-module-validation-program/
andÂ
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1747

Would be the "current" links and the previous links do redirect (although the certificate based redirect only redirects to the main module search page).Â

Tim.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]