[swift-server-dev] FIPS certification

Carl Brown carlb at pobox.com
Tue Feb 21 15:49:55 CST 2017

It looks to me like Vapor (0.18) is now using LibreSSL, although you're right that Perfect was still using OpenSSL last I looked (2.0). 

I can't speak to any particular client company or government agency (RFPs being proprietary, etc.) but I am confident that, at times, some random, non-technical person in purchasing is making decisions about which bids to disqualify based on a spreadsheet of features with column names like "FIPS compliance (native)" and "FIPS compliance (optional)".  In that event, consultants and firms that want to use Swift to fulfill those contracts would have an easier time if OpenSSL was the default.  I've seen too many cases where management just says to purchasing: "Find some criteria to get it down to 3 bidders, I don't want to have to read any more than 3 proposals."  When that happens, the more check boxes you have on your spreadsheet line, the better for you.
I would expect that RFPs that are more concerned about actual security rather than the standardized appearance of security would have a deeper understanding of the libraries and trade-offs, and so be better equipped to deal with "we can plug in the SSL library of your choosing".  Whereas I would expect the reverse not to be true.

I'm not personally thrilled about the current way large RFPs seem to be handled (especially as an individual (and former government employee) whose Social Security number has been stolen from government servers more than once), but that's the situation that we're in.  And all other things being equal, I'd rather Swift be an option for more government systems that may contain my information rather than fewer of them.


Carl Brown
Swift at IBM
W: Carl.Brown1 at IBM.com
H: CarlB at pobox.com

Sent from my iPad

> On Feb 21, 2017, at 3:00 PM, Drew Crawford via swift-server-dev <swift-server-dev at swift.org> wrote:
>> On February 21, 2017 at 2:36:33 PM, Swizzlr (me at swizzlr.co) wrote:
>> who have refused to use Swift on the grounds that the crypto interface isn't FIPS certified.
> My understanding is that both Perfect and Vapor use OpenSSL, which is FIPS-certified in the proper mode.  Can you go into more detail about why using Swift in combination with one of those wasn't an option for these entities?
> _______________________________________________
> swift-server-dev mailing list
> swift-server-dev at swift.org
> https://lists.swift.org/mailman/listinfo/swift-server-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.swift.org/pipermail/swift-server-dev/attachments/20170221/55af784c/attachment.html>

More information about the swift-server-dev mailing list