Rephrasing the question

Stan Rydzewski srydzews at gmail.com
Thu Jan 4 21:39:31 CET 2007


Hello. I am part of a team creating a communcations process by which
hospitals would submit files periodically to a government organization
in the United States.  We were contemplating using GPG as part of this
process.  A few days ago, one of the hospitals involved stated

"The VA requires that all encryption MUST be FIPS140-2 compliant.   Do
you know if this program is?"

Well not only do I not know, I'm not entirely sure how to tell.  I
asked about this yesterday, but somewhat sketchily.  Allow me to
elaborate a bit.  On the one hand it appears to me that GPG implements
algorithms listed here:

http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf

as regards encryption, hashing, and authentication. But on the other
hand GPG itself does not seem to be listed here:

http://csrc.nist.gov/cryptval/140-1/1401val2003.htm#329

I'm not sure whether it even makes sense to think that it /could/ be
on that list.

I know this is all very basic stuff but I'm looking for a little
guidance here.  In searching the archives (yes, got that part) I can
find only a few oblique references to FIPS.


--Stan Rydzewski



More information about the Gnupg-users mailing list