FIPS for BC Java News.

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

FIPS for BC Java News.

David Hook
Hi all,

Some news about FIPS and the Bouncy Castle Java API.

After initial funding, we completed a product review on the FIPS work
just over a month ago. It's taken us till now to deal with all the
issues that were raised and we are now in the process of getting ready
for a documentation review.

We have already raised the funds for the documentation review, however
we still need to raise the funds for testing.
So as part of this we are now willing to offer early access to the FIPS
API and provider for interested parties. The FIPS work has required
major changes to the lightweight API, and some small changes to the
provider level code. Note: not all algorithms currently available in the
BC provider are available in the FIPS release. A full set of the extra
algorithms appropriate for OpenPGP and CMS will be available in the FIPS
release where the module is not being used in FIPS-approved mode.

We have a general document about the API, changes, and motivations at:

http://www.bouncycastle.org/fips/BCFipsDescription-20140504.pdf

If everything goes according to plan we expect to be able to make the
APIs available by the end of the year. Apart from getting early access
before then, other reasons why it might be worth getting involved include:

- the algorithm set for non-FIPS approved mode is not yet finalised, but
it is unlikely to include everything in the regular BC release. If
there's an algorithm not on the current list that you need badly, now is
the time to bring it up. It will be some time before we do this again.
- NIST certify Java modules on the basis of processor family, operating
system, and the JVM major version number. If you want to minimise
testing costs associated with your application now is also a good time
to get involved as it may save you the need to re-certify on a platform
we don't cover.
- doing this means we have to write extra JavaDoc, if your involved
there's a good chance it'll be in a shape that's useful to you, as well
as to the certification process (not that I'm implying that we'll do the
minimum required to get it passed... but, JavaDoc is nowhere near as
precise as Java, so some additional, external, "natural-language
analysis" is bound to improve it).
- this will be open source, you will be in a position to see exactly how
everything works as well as what gets used. Consider what that might
mean to you and your users.

Finally, we'd like to thank all those who have donated towards this,
especially our main sponsors to date:

Orion Health (http://www.orionhealth.com) and Crypto Workshop
(http://www.cryptoworkshop.com).

Crypto Workshop would also like to acknowledge the people who have
bought Bouncy Castle support agreements as it is largely through those
that funding has been possible.

If you, or your organisation, is interested in supporting this effort,
please contact us at:

[hidden email]

If you have specific questions, also feel free to contact me off list.

Regards,

David