>On Thu 28/06/12 3:25 PM , Steve Marquess marqu...@opensslfoundation.com sent:
>The long awaited validation of the OpenSSL FIPS Object Module v2.0 ("2.0
>module") is now complete:
>
>
>One very important difference to note is that a new requirement has been
>imposed on the distribution of the 2.0 module. The CMVP (the program
>granting the validation) has specifically disallowed the conventional
>process of downloading the source code distribution from a web site. To
>use the 2.0 module for production purposes where FIPS 140-2 validation
>is to be claimed the source must be obtained by a "secure path", and the
>most feasible such mechanism is transfer via physical media, i.e. a
>snail-mailed CD-ROM disk. We will provide such disks at no charge for as
>long as possible, see:
>Congratulations Steve and team. Is this requirement written down anywhere? I also wonder how it applies to other software based crypto modules, such as RSA's CryptoC, etc, or is primarily an issue with source code? Could someone (Shining Light, etc) obtain a CD with source through "secure" (ahem) mechanisms but then place a FIPS-approved module online for download (with appropriate signatures, etc)? Regards, Carl ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
