-
-
Notifications
You must be signed in to change notification settings - Fork 376
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inquiry About FIPS-Compliant MimeKit #1090
Comments
Thanks! I appreciate your kind words!
Honestly, I had not put much thought into it because no one had asked for it and I wasn't sure what would be involved in making MimeKit FIPS compliant. I suspect there's more than just using the FIPS version of BouncyCastle since at the very least, MimeKit does use MD5 for computing the Content-MD5 headers, but that is also "optional" in that it's not something that is on by default. It's only there for backward compatibility with ancient mail clients that used to compute a Content-MD5 header as a sort of "checksum" (much like a lot of download sites have md5 and/or sha1/sha256 checksums that you can use to verify the download isn't corrupt). MD5, as you likely know, is most likely something that would kill FIPS certification. Probably even SHA-1 would as well these days. That said, outside of the MD5 stuff for the Content-MD5 header support (which uses .NET's MD5 context), I do think most everything else uses BouncyCastle's crypto engines, so if MimeKit was built and linked against the FIPS-compliant BouncyCastle, you are probably correct that that would be all it really takes. I'll try to look into this because I'm sure the reason you're asking is likely due to being required to have your product FIPS-compliant to be able to sell to a government agency somewhere? I wonder if I'll need to have a separate FIPS-compliant MimeKit nuget package. |
Consider allowing the user to pass in their own cryptography implementations, then we can just pass in our FIPS implementation and MimeKit doesn't need to do anything else. I would avoid adding a dependency to BouncyCastle FIPS library, it has issues giving wrong results on .Net Core, and has conflicting namespace issues with BouncyCastle.Cryptography, making it hard to use both libraries at the same time. It's also not published on nuget. I see a similar idea was already attempted in: #820 |
Yes, I had the same thought. |
Dear Mr. Stedfast,
Thank you for your efforts and for creating such a fantastic library!
My understanding is as follows:
Are you considering to introduce FIPS-compliant MimeKit?
The text was updated successfully, but these errors were encountered: