[Gpg4win-users-en] GPG4Win and FIPS 140-2 Compliant

Wed Jul 7 08:29:51 CEST 2021

Hi Gaurav,

Am Mittwoch 07 Juli 2021 01:50:21 schrieb Gaurav Sharma:
> If this product operates a FIPS 140-2 validated module

 * libgcrypt (the relevant crypte module of Gpg4win) has active FIPS 140-2 
   certifications for other platforms than Windows.

https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic&ModuleName=libgcrypt&CertificateStatus=Active&ValidationYear=0

> If so, can you please provide me with any documentation around it?

   The technical development manual with the details is here
    https://www.gnupg.org/documentation/manuals/gcrypt/Enabling-FIPS-mode.html

Citing from it:
  Because FIPS 140 has certain restrictions on the use of cryptography
  which are not always wanted, Libgcrypt needs to be put into FIPS mode
  explicitly. 

So it depends what you need:
 * general code quality, is there
 * fips mode, you'd need to build the product with this mode enabled
 * certified binaries, not there yet, if there is a lot of demand,
   a vendor like https://gnupg.com/ maybe able to provide them some point
   in the future.

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20210707/1987ea8a/attachment.sig>