Inquiry About FIPS-Compliant MimeKit #1090
Comments
Thanks! I appreciate your kind words!
Honestly, I had not put much thought into it because no one had asked for it and I wasn't sure what would be involved in making MimeKit FIPS compliant. I suspect there's more than just using the FIPS version of BouncyCastle since at the very least, MimeKit does use MD5 for computing the Content-MD5 headers, but that is also "optional" in that it's not something that is on by default. It's only there for backward compatibility with ancient mail clients that used to compute a Content-MD5 header as a sort of "checksum" (much like a lot of download sites have md5 and/or sha1/sha256 checksums that you can use to verify the download isn't corrupt). MD5, as you likely know, is most likely something that would kill FIPS certification. Probably even SHA-1 would as well these days. That said, outside of the MD5 stuff for the Content-MD5 header support (which uses .NET's MD5 context), I do think most everything else uses BouncyCastle's crypto engines, so if MimeKit was built and linked against the FIPS-compliant BouncyCastle, you are probably correct that that would be all it really takes. I'll try to look into this because I'm sure the reason you're asking is likely due to being required to have your product FIPS-compliant to be able to sell to a government agency somewhere? I wonder if I'll need to have a separate FIPS-compliant MimeKit nuget package. |
and others
Dear Mr. Stedfast,
Thank you for your efforts and for creating such a fantastic library!
My understanding is as follows:
Are you considering to introduce FIPS-compliant MimeKit?
The text was updated successfully, but these errors were encountered: