On 09/23/2013 04:16 PM, Jim Adams wrote: > The Security Policy for the FIPS Object Module 2.0 states: > > 5.1 Exclusive Use of the FIPS Object Module for Cryptography > In order for the referencing application to claim FIPS 140-2 validation, > all cryptographic functions > utilized by the application must be provided exclusively by the FIPS > Object Module. The > OpenSSL API used in conjunction with the FIPS Object Module in FIPS mode > is designed to > automatically disable all non-FIPS cryptographic algorithms. > > Question: > Does this also prelude the use of other FIPS-validated cryptographic > modules in an application using OpenSSL FIPS? > If an app has an option to use either OpenSSL-FIPS or MS-CAPI, in FIPS > mode, for SSL functionality, does that somehow > invalidate the claim that the OpenSSL use is validated?
It's all a matter of careful semantics. At level 1 it is only the "cryptographic module" that is validated, not the application (Apache httpd, say, or Stunnel, etc.). So it is never strictly correct to say that your *application* that uses the OpenSSL FIPS Object Module is "FIPS 140-2 validated". The gist of the USG procurement policies requiring FIPS 140-2 validation is that all cryptography is supposed to be FIPS 140-2 validated. So you can't claim to be in compliance if your application uses the OpenSSL FIPS module *and* some other cryptographic implementation(s) that are not also validated. Stock OpenSSH is an example of such an application, as it contains some in-line cryptography. Ditto any IPsec product due to the use of kernelspace crypto. If your application uses only FIPS 140-2 validated cryptography exclusively (whether from one or more validated modules) then you can claim compliance. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
