Tuesday, August 23, 2022

[389-users] Re: NOTICE - Rust will be mandatory starting in 389-ds-base-2.2

> On 24 Aug 2022, at 00:17, Mark Reynolds <mareynol@redhat.com> wrote:
> On 8/23/22 9:58 AM, Trevor Vaughan wrote:
>> How are you going to handle the FIPS build issues surrounding Rust right now?
>> Are all crypto libraries going to build against the underlying OpenSSL (or something else certified)?
> Correct all the Rust password storage scheme plugins use OpenSSL (not NSS), so we don't have these issues anymore.
> FYI we were able to get the NSS PBKDF2 version working in FIPS (in very recent versions), but the Rust version is much better and more secure.

The other improvement of the OpenSSL version of PBKDF2 vs the NSS version, is that the NSS version uses a slower PBKDF2 construction which more than halves the number of rounds we can do which limits the ability to improve memory/time hardness on the password checks. So being able to use the OpenSSL version, which also benefits from being written in a memory safe language is fantastic to improve password handling security :)

So I'm very excited about this change and that it will be a default soon :)


William Brown

Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

No comments:

Post a Comment