You must use the specific binaries of version 3.12.9.1 from back in 2012 to be really, honestly, truly FIPS 140 compliant.
Further, you must use a FIPS-certified implementation to verify the integrity of that version in order to be really, no kidding FIPS 140 compliant, or get it on a disk directly from Mozilla (and the cryptographic integrity option is only available if the Security Policy explained how to cryptographically validate the binaries that you received). FIPS compliance is all about documenting the chain of custody. Once you have that, make absolutely certain that you keep that chain of custody in a safe along with the original disk that you received the binaries on. (There might be a process for Mozilla to push a new version with a "vendor change letter" or something, but that depends on their CMVP validation provider and various strange and arcane NIST rules. I've been following the OpenSSL FIPS validation saga and let me tell you, it's *awful*.) -Kyle H On Mon, Feb 13, 2017 at 11:11 AM, Ernie Kovak <ernie.ko...@gmail.com> wrote: > Sorry, I'm not familiar with the rules governing FIPS 140-2 certification > and I'd appreciate some help with the following question: > > I find NIST certification #1837 for version 3.12.9.1 from back in 2012.( > http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1837) > > Have the changes made between then and the current v3.28.2 been such that > that certification still applies? > > Or do I have to use 3.12 to be really, no kidding FIPS 140 compliant? > > Thanks! > Ernie > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
