Hi Team,

I read through the content on "OpenSSL" page regarding the 'hostage', 'ransom' 
and 'aftermath' details.

As I understand it,
the currently active 'SE version' or #2398 (2.0.12) has been 
validated/certified only on 23 new platforms (as per its 'Security Policy' pdf 
on NIST site)
and the other 100+ platforms of cert-number #1747 & #2743 (TAR ball 2.0.10) 
will be considered as "vendor-affirmed" or "user-affirmed" (as per section 'G5' 
of NIST Implementation Guide pdf) for this "SE or 2.0.12" version;
because this 2.0.12 version "functionally supports all previous platforms" (but 
not listed/stated explicitly by NIST for 2.0.12 or 2.0.13 or 2.0.N version of 
the module).

Is my understanding correct?

If No, request you to provide inputs to correct my understanding.

If Yes, then considering, we get a "Premium Level" support contract with 
OpenSSL Software services (commercial consulting entity);
can we again raise a NEW 'Validation/certification request' against an old 
platform that is already part of #1747 or #2743?

The purpose of my above question is that, we don't want to build 2 versions of 
our product, one that is built with 2.0.10 and another with 2.0.12 or higher 
for the same OS with different version (say FreeBSD 9.x and 10.x) to claim 
FIPS-validated status.
This way, we may be able to pay for re-asserting/revalidating by a CMVP for a 
dozen old platforms that are already part of #1747 or #2743 again in #2398 
(2.0.12) or 2.0.N;
thereby we can build our product using #2398 or some NEW certificate number 
#xxxx and claim "FIPS-validated" status with just one TAR ball (say 2.0.12 or 
some 2.0.N).
So that my product documentation would be clear with just ONE certificate 
number (either #2398 or #2473 or a #Brand_new_num) for all platforms of my 
interest.
Because, there will be some skeptical customers who would go to the NIST site 
for the certificate number we quote (#xxxx) and look for a list of 
"NIST-CMVP-Validated" platforms against a given #xxxx as they may not agree to 
"user-affirmed" or "vendor-affirmed" platforms as "FIPS-Validated".

Regards,
Murali Kamal
Senior Software Engineer
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to