Hi all, Jumping in while I have a moment because this hits a particular bugaboo for me. "*validated as meeting FIPS 140 level 1*" is not a thing. FIPS 140 is a certification process for cryptographic modules, and certified modules will have a security policy published which instructs customers how to operate in FIPS mode. Unless something has changed while I was not paying attention, there is no "validation" process to confirm whether modules are being operated in compliance with the instructions. Yet another example of meaningless requirements in 800-63. Thanks and FWIW, Scott On Sat, Apr 6, 2024 at 8:30 AM Jimmy Jung <jimmy.jung@slandala.com> wrote:
We have mostly avoided the federal agency/FIPS 140 criteria, but I was looking at 63B#0120, which is taken word for word from 800-63B and requires “verifiers to meet FIPS 140 Level 1 or higher.”
“Verifiers” refers to an organization, typically the CSP – specifically, 63 defines it as “an entity that verifies the claimant’s identity by verifying the claimant’s possession and control of one or two authenticators using an authentication protocol. To do this, the verifier may also need to validate credentials that link the authenticator(s) to the subscriber’s identifier and check their status.”
But FIPS 140 is Security Requirements for devices, specifically Cryptography and Cryptographic Modules. So, I can’t figure out what they want here.
*63B#0120*
*Federal agencies SHALL only operate verifiers which have been validated as meeting FIPS 140 Level 1 or higher.*
(possibly that cryptographic authenticators should meet FIPS 140 – but that would appear to conflict with other criteria and guidance?)
Jimmy
_______________________________________________ A Community Group mailing list of KantaraInitiative.org WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org To unsubscribe send an email to staff@kantarainitiative.org List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantara... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance