OpenSAML user discussion

[Christopher Fasbinder <>]

Scott,
        Yes,
I used the wrong acronym JCE is what I meant (I understand that is a big
difference).  We are not actually looking at using OpenSAML library
for any transport so any SSL usage done by the library is not a concern
to us.  Good to know we are covered though and can still consider
using OpenSAML.

Thanks,
Chris



From:      
 "Cantor, Scott
E." <>
To:      
 ""
<>
Date:      
 06/23/2011 03:25 PM
Subject:    
   Re: [OpenSAML]
How to use OpenSAML and maintain FIPS 140-1 compliance?
Sent by:

---

On 6/23/11 3:13 PM, "Chris Fasbinder" <>
wrote:

>I am working on a project where we are considering using OpenSAML.
 The
>product we plan to update currently uses a third party cryptography
module
>that has been validated by NIST for FIPS 140-1 compliance.  We
would like
>to
>continue to use that third party cryptography module for all cryptography
>to
>not require our own validation by NIST, unless the cryptography module
>used by
>OpenSAML has already by validated for FIPS 140-1 compliance.  Since
my
>company
>discourages employees from viewing third party open source code, I
would
>like
>to know how I can plug-in what cryptography module OpenSAML will use.
 The
>third party cryptography module we currently use does provide a JSSE
>provider.

JSSE is the SSL layer. The crypto in OpenSAML is JCE (and it's pluggable
via that mechanism).

The only place the SSL might come into play is the SOAP client code, Chad
or Brent could speak to that.

-- Scott