Hi Team,
I read through the content on "OpenSSL" page regarding the 'hostage', 'ransom'
and 'aftermath' details.
As I understand it,
the currently active 'SE version' or #2398 (2.0.12) has been
validated/certified only on 23 new platforms (as per its 'Security Policy' pdf
on NIST site)
and the other 100+ platforms of cert-number #1747 & #2743 (TAR ball 2.0.10)
will be considered as "vendor-affirmed" or "user-affirmed" (as per section 'G5'
of NIST Implementation Guide pdf) for this "SE or 2.0.12" version;
because this 2.0.12 version "functionally supports all previous platforms" (but
not listed/stated explicitly by NIST for 2.0.12 or 2.0.13 or 2.0.N version of
the module).
Is my understanding correct?
If No, request you to provide inputs to correct my understanding.
If Yes, then considering, we get a "Premium Level" support contract with
OpenSSL Software services (commercial consulting entity);
can we again raise a NEW 'Validation/certification request' against an old
platform that is already part of #1747 or #2743?
The purpose of my above question is that, we don't want to build 2 versions of
our product, one that is built with 2.0.10 and another with 2.0.12 or higher
for the same OS with different version (say FreeBSD 9.x and 10.x) to claim
FIPS-validated status.
This way, we may be able to pay for re-asserting/revalidating by a CMVP for a
dozen old platforms that are already part of #1747 or #2743 again in #2398
(2.0.12) or 2.0.N;
thereby we can build our product using #2398 or some NEW certificate number
# and claim "FIPS-validated" status with just one TAR ball (say 2.0.12 or
some 2.0.N).
So that my product documentation would be clear with just ONE certificate
number (either #2398 or #2473 or a #Brand_new_num) for all platforms of my
interest.
Because, there will be some skeptical customers who would go to the NIST site
for the certificate number we quote (#) and look for a list of
"NIST-CMVP-Validated" platforms against a given # as they may not agree to
"user-affirmed" or "vendor-affirmed" platforms as "FIPS-Validated".
Regards,
Murali Kamal
Senior Software Engineer
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users