From: Anthony Liguori <anthony@codemonkey.ws>
To: Paul Moore <pmoore@redhat.com>
Cc: qemu-devel Developers <qemu-devel@nongnu.org>,
Alexander Graf <agraf@suse.de>,
Roman Drahtmueller <draht@suse.de>
Subject: Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode
Date: Thu, 07 Jun 2012 11:10:53 +0800 [thread overview]
Message-ID: <4FD01BBD.4010201@codemonkey.ws> (raw)
In-Reply-To: <12067146.ZyE99xJO2B@sifl>
On 06/07/2012 06:56 AM, Paul Moore wrote:
> On Wednesday, June 06, 2012 01:56:52 AM Alexander Graf wrote:
>> The other one (FIPS) is basically a list of encryption algorithms that are
>> deemed OK and not crackable within seconds by anyone.
>>
>> Only one of the 2 doesn't help much. In combination they actually enhance
>> security. This patch is only about FIPS though.
>
> I don't have much to add beyond what Alex already posted. FIPS 140-2 outlines
> a set of security requirements for systems implementing cryptography in a
> variety of forms; the full requirements are likely beyond the scope here but
> you can always read the full specification (Google knows where to find the
> document).
>
> The relevant portion appears to be annex A which lists the approved ciphers
> and their approved uses; DES is not listed as an approved cipher and that is
> the main problem we are trying to solve right now.
But does FIPS mandate that it's impossible for a user to use an unapproved cipher?
IOW, is just having this feature implemented at the libvirt level good enough to
satisfy FIPS? Do we really need to do this in QEMU?
Regards,
Anthony Liguori
>
next prev parent reply other threads:[~2012-06-07 3:11 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-02 19:32 [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode Paul Moore
2012-05-03 8:29 ` Daniel P. Berrange
2012-05-03 8:51 ` Alexander Graf
2012-05-03 8:57 ` Daniel P. Berrange
2012-05-03 9:01 ` Alexander Graf
2012-05-03 9:03 ` Daniel P. Berrange
2012-05-03 9:06 ` Alexander Graf
2012-05-03 9:09 ` Daniel P. Berrange
2012-05-03 9:11 ` Alexander Graf
2012-05-03 20:58 ` Paul Moore
2012-05-03 9:04 ` Alexander Graf
2012-05-03 20:51 ` Paul Moore
2012-05-03 14:54 ` Alexander Graf
2012-05-03 20:54 ` Paul Moore
2012-05-04 2:01 ` Roman Drahtmueller
2012-05-04 12:39 ` Paul Moore
2012-05-04 12:42 ` Daniel P. Berrange
2012-06-03 0:55 ` Anthony Liguori
2012-06-04 18:16 ` Paul Moore
2012-06-04 23:11 ` Anthony Liguori
2012-06-04 23:17 ` Alexander Graf
2012-06-04 23:54 ` Anthony Liguori
2012-06-05 0:55 ` Alexander Graf
2012-06-05 1:03 ` Anthony Liguori
2012-06-05 1:08 ` Alexander Graf
2012-06-05 1:23 ` Anthony Liguori
2012-06-05 1:29 ` Alexander Graf
2012-06-05 7:23 ` Gerd Hoffmann
2012-06-05 21:45 ` Paul Moore
2012-06-05 21:51 ` Alexander Graf
2012-06-05 22:06 ` Paul Moore
2012-06-05 23:07 ` Anthony Liguori
2012-06-05 23:56 ` Alexander Graf
2012-06-06 22:56 ` Paul Moore
2012-06-07 3:10 ` Anthony Liguori [this message]
2012-06-07 10:31 ` Alexander Graf
2012-06-07 13:21 ` Paul Moore
2012-06-08 21:37 ` Paul Moore
2012-06-11 13:33 ` Roman Drahtmueller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FD01BBD.4010201@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=agraf@suse.de \
--cc=draht@suse.de \
--cc=pmoore@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.