paulidale
commented
1 year ago Calling a vote to accept openssl/openssl#21363 subject to the usual review process
Closed paulidale closed 1 year ago
paulidale
commented
1 year ago Calling a vote to accept openssl/openssl#21363 subject to the usual review process
paulidale
commented
1 year ago vote: +1
slontis
commented
1 year ago vote: +1
beldmit
commented
1 year ago vote: +1
I should say that enforcing EMS. significantly breaks backward compatibility and there will be gazillion of questions "why it doesn't work and how to make it work without breaking FIPS compliance"
mspncp
commented
1 year ago vote: +1
mattcaswell
commented
1 year ago vote: +1
hlandau
commented
1 year ago vote: +1
paulidale
commented
1 year ago I should say that enforcing EMS. significantly breaks backward compatibility and there will be gazillion of questions "why it doesn't work and how to make it work without breaking FIPS compliance"
Yeah, it's not ideal. I think the questions about a non-compliant installation by default will be more painful. I don't know if we'd get any but worse would be if someone noticed that we were non-compliant and instead of failing, things worked.
As for the final question, FIPS mandates that EMS be used, so it cannot work in a compliant installation.
At least it is enforced only when using the FIPS provider, so a small subset of users might be impacted.
paulidale
commented
1 year ago Closing vote which was accepted 6 for, 3 not voted.
t-j-h
commented
1 year ago Vote [+0]
t8m
commented
1 year ago Vote: [+1]
Note: the security policy for the 140-3 validation will mandate the
-pedanticoption as part of the installation instructions.