Apple has posted the Apple FIPS Cryptographic Module v1.1 and has an associated "How to set up and maintain a FIPS-enabled OS X Lion system" kbase. FIPS validation is a certification program by NIST (National Institute of Standards and Technology) to verify cryptographic modules. It appears from here that the CDSA module is 140-2 level 1 certified. For those not versed in the dark details of FIPS certification, Wikipedia defines 140-2 Level 1 as "all components must be "production-grade" and various egregious kinds of insecurity must be absent".
The interesting piece to all this is in the "additional information" section of the "How to set up and maintain a FIPS-enabled OS X Lion system" kbase:
"OS X Lion security services are now built on a newer "Next Generation Cryptography" platform and have transitioned from the CDSA/CSP module previously validated on Mac OS X v10.6. However, Apple has re-validated the same CDSA/CSP module under OS X Lion to provide continued validation solely for third-party applications."
So Lion is not FIPS validated, but the CDSA on Lion is, but only 3rd party apps use it. Clear?
Timothy Perfitt
Timothy Perfitt is currently the head of Twocanoes Software, Inc, creator of iOS and Mac apps for the IT market. Prior to Twocanoes Software, he survived the collapse of the dot com era by jumping from Coolboard.com to Apple, Inc in 2001. He worked on the initial certification training materials for Mac OS X, worked in Education Sales, and then finished his time at Apple in 2012 working with Fortune 500 customers to integrate Macs and iOS devices into complex environments. He is a returned Peace Corps volunteer, serving in the Solomon Islands as a math and science teacher from 1991 to 1993.
Follow Me:
by 
Recent Comments