On 03/24/2014 07:55 AM, Leon Brits wrote: > Hi, > > > > We are in the process of validating our product to FIPS 140-2 level 3. > The product is based on OpenSSL FIPS Object Module v2.0.2. > > I have a question/concern with regard to the latest Summary of SP > 800-131A and FIPS 186-2 to FIPS 186-4 Transitions document from the > CAVP. Please correct me where I make a mistake in my thinking: > > > > 1. The OpenSSL FIPS Object Module is only validated for RSA [FIPS 186-2]
Correct, was and still is. At the time that validation (certificate #1747) was first obtained FIPS 186-4 didn't exist. We believe some relatively simple source code modifications would suffice to pass the new algorithm tests, but we're not allowed to apply those to existing validations. > 2. According the SP 800-131A it means that NIST will not validate > any new requests starting from this year with that implementation – right? Apparently after months of deliberation the CMVP has recently decided to once again permit "change letter" updates to pre-2014 validations. We're still waiting on the algorithm test vectors that would be needed, though (we have 11 new platforms in our lab ready and waiting, some since late December). New validations will have to conform to multiple new requirements including the SP800-131A transition. > 3. Our product is now ready for testing, so does that mean we will > not succeed? Only if you use unmodified OpenSSL FIPS Object Module (e.e. openssl-fips-2.0.N.tar.gz) code. With appropriate code modifications a new validation is possible, at least in principle. > 4. Can I still do a “Platform Validation” so as to OEM certificate > #1747 algorithm certificate numbers? Are you asking if you can sponsor the addition of platforms to the #1747 validation? Apparently the answer is yes. New validations will not be able to leverage the #1747 algorithm certs. This is really a question you should be asking your accredited test lab, though. > 5. If successful will/should the testing company accept those > certificate numbers? > > 6. Will/Should the testing company continue to validate the rest of > the system and continue to submit for validation? Hmmmm ... by "testing company" I assume you mean "accredited FIPS 140-2 testing laboratory". Check with several, as you may well get different answers to some questions. Ultimate acceptance of anything isn't up to the test labs, of course. > Any advise on howto validate this product? At some point in time OSF may once again attempt to perform private label validations as we have in the past. We're currently considering doing our first validation in 2014 for a particularly supportive and valued past customer. If that happens and works out well then OSF may again be a cost-effective resource for such validations, at least until the next set of disruptive requirements changes. We'll know in as little as a year. In the meantime, you'll need lots of money, lots of patience, and luck. Note all my comments above apply to Level 1 validations. Level 3 introduces additional challenges. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
