I haven't made any announcements for some time because there has been
nothing to announce. We're still waiting. The last inquiries from the
CMVP, which seemed fairly routine and minor, were all (I believe)
satisfactorily responded to as of September 9. I have no indications
that the CMVP is
Snapshots from the OpenSSL-fips-0_9_8-stable branch where development
for FIPS 140-2 currently takes place are now being posted in the
snapshot area, ftp://ftp.openssl.org/snapshot/. These will have names
of the form openssl-0.9.8-fips-test-SNAP-MMDD.tar.gz
Kyle Hamilton wrote:
On Dec 2, 2007 4:31 PM, Steve Marquess [EMAIL PROTECTED] wrote:
...big snip...
c) I would like to know where to find the formal specification
documents for what must be met in a module boundary, ...
The module boundary is *the* key concept for FIPS 140-2. It is also a
Kyle Hamilton wrote:
I'll go out on a limb here and express my (certainly naive)
extrapolations/interpolations:
Module Boundary: That which contains the entire deliverable that
implements the algorithms required by FIPS 140-2 and the glue to make
them accessible. (The physical string of
Kyle Hamilton wrote:
I'm trying to point out something that I perceive as an issue in the
organizational intelligence.
...big snip...
To make plain the changes that I'd like to see, in order of my
perception of possibility/likelihood:
a) I would like to see the the addition of ability for
Kyle Hamilton wrote:
On Dec 2, 2007 4:31 PM, Steve Marquess [EMAIL PROTECTED] wrote:
Kyle Hamilton wrote:
I just want to have the opportunity to know that what is submitted
will actually run on the platform I must use.
... big snip ...
Kyle, you raise a number of good points that
However, I
am honestly annoyed that there have been two validation cycles past
without (still!) a working FIPS-validated module for the Intel Mac.
What is this statement based on? Intel Mac support was added and tested
prior second submission. Though it's limited to 32 bits... Because
64-bit
However, I
am honestly annoyed that there have been two validation cycles past
without (still!) a working FIPS-validated module for the Intel Mac.
What is this statement based on? Intel Mac support was added and tested
prior second submission. Though it's limited to 32 bits... Because
Kyle Hamilton wrote:
...
Yes, that is understandable. Any code going through validation at that
time cannot be touched. I think what Kyle asked for was prior to the
next validation starting, a 2-week window where people could provide
patches. Basically a 'last-call', or at least some
On Dec 2, 2007 4:31 PM, Steve Marquess [EMAIL PROTECTED] wrote:
Kyle Hamilton wrote:
I just want to have the opportunity to know that what is submitted
will actually run on the platform I must use.
You best approach is to report problems (or provide patches) for the
head of
On Fri, Nov 30, 2007, Brad House wrote:
I didn't actually know a public CVS branch existed for 0.9.8 fips until
an e-mail last night. Is the only way to grab the current branch to
rsync the _entire_ openssl cvs repository then do a local checkout?
Are there any shapshots of that branch
Brad House wrote:
Brad, sorry, I didn't mean to come across as negative. The point I was
trying to make is that once a validation starts I can't afford to delay
it to deal with problems that are discovered in the already frozen
baseline, unless those problems are critical to the requirements
Brad, sorry, I didn't mean to come across as negative. The point I was
trying to make is that once a validation starts I can't afford to delay
it to deal with problems that are discovered in the already frozen
baseline, unless those problems are critical to the requirements of the
paying
Steve Marquess wrote:
Brad House wrote:
Ok, guys, let me point out a harsh reality here. As noted in an
earlier comment, FIPS 140-2 validation doesn't mesh all that well
with the open source world. ...
We're a paying OSS member (or at least we were, not sure if we were
invoiced for a
Ok, guys, let me point out a harsh reality here. As noted in an earlier
comment, FIPS 140-2 validation doesn't mesh all that well with the open
source world.
Validation testing is expensive. The direct costs alone -- to pay the
test lab, for CMVP fees, for hardware and/or test lab travel
Brad House wrote:
Ideally (in my view anyway), we'd have some sort of announcement as to
where the FIPS code is being evaluated, then have a couple of weeks to
a month to hammer at it before it's sent off to the (much more costly,
and much more involved) CMVP validation.
I like the idea
Brad House wrote:
Ok, guys, let me point out a harsh reality here. As noted in an earlier
comment, FIPS 140-2 validation doesn't mesh all that well with the open
source world.
Validation testing is expensive. ...
...
Anyone who wants to volunteer their time to help out, please drop me a
On Nov 30, 2007 11:33 AM, Steve Marquess [EMAIL PROTECTED] wrote:
Brad House wrote:
Brad, sorry, I didn't mean to come across as negative. The point I was
trying to make is that once a validation starts I can't afford to delay
it to deal with problems that are discovered in the already
The FIPS validation process is... odd. And not at all conducive to the
open-source development model.
There is no available OpenSSL FIPS Object Module v1.2. Until it passes
validation, anyway, at which point the openssl-fips-1.2.0.tar.gz file will
be made available. I don't think the source
validation cycle it'll still be a
lot easier to see what's going on.
-Kyle H
On Nov 29, 2007 5:59 PM, Steve Marquess [EMAIL PROTECTED] wrote:
Kyle Hamilton wrote:
There is no available OpenSSL FIPS Object Module v1.2.
Well, yes and no. Check out the OpenSSL-fips-0_9_8-stable branch. The
code
Kyle Hamilton wrote:
The FIPS validation process is... odd. And not at all conducive to the
open-source development model.
There is a certain dissonance, for sure :-)
There is no available OpenSSL FIPS Object Module v1.2.
Well, yes and no. Check out the OpenSSL-fips-0_9_8-stable branch
Ideally (in my view anyway), we'd have some sort of announcement as to
where the FIPS code is being evaluated, then have a couple of weeks to
a month to hammer at it before it's sent off to the (much more costly,
and much more involved) CMVP validation.
I like the idea of a peer review
Subject:Re: OpenSSL FIPS Object Module v1.2
23 matches
Mail list logo
