SSH and Telnet [was Re: [Ma-linux] Two Sun Announcements]
James Ewing Cottrell 3rd
JECottrell3 at comcast.net
Thu Feb 15 04:32:52 EST 2007
Wasn't allowed to be used By Who? With all due respect, few people
actually care about FIPS. I ought to know; I worked at NBS for five years.
JIM
Przemek Klosowski wrote:
> The ssh monoculture refers to the proportion of unix systems that are
> running a single implementation (openssh) of the ssh protocol, or the
>
>Interestingly, OpenSSH until very recently was not even allowed,
>legally, to be used by the US and Canadian Government and anyone else
>who requires a formal FIPS 140-2 certification for cryptographic
>modules. There was apparently an issue that popped up last spring,
>that caused the crypto group at NIST to suspend the certification
>for the SSL crypto that SSH is built upon. I tried to raise stink
>about it, as it essentially took out the most commonly used crypto
>library on the planet---both Apache and OpenSSH on Linux depend on it.
>
>The issue was resolved recently: http://oss-institute.org/FIPS_733.
>Hopefully we are back in good legal stead as well as hopefully have
>fixed all the bugs :)
>
>Of course, the real problem is not the crypto, but the infrastructure
>built upon it, as Mike described. The FIPS cert doesn't address that
>at all.
>_______________________________________________
>Ma-linux mailing list
>Ma-linux at calypso.tux.org
>http://calypso.tux.org/cgi-bin/mailman/listinfo/ma-linux
>
>
>
>
More information about the Ma-linux
mailing list