On Sat, Sep 06, 2003 at 03:33:44PM -0400, Wei Dai wrote: > Do you have *written* guidance from NIST/CSE that your approach is ok? > (Not the testing lab, what they say don't really count in the end, and > neither does what NIST/CSE say verbally.) If so can you please post that > written guidance?
I think I may have found such a written guidance myself. It's guidance G.5, dated 8/6/2003, in the latest "Implementation Guidance for FIPS 140-2" on NIST's web site: http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf. This section seems especially relevant: For level 1 Operational Environment, the software cryptographic module will remain compliant with the FIPS 140-2 validation when operating on any general purpose computer (GPC) provided that: a. the GPC uses the specified single user operating system/mode specified on the validation certificate, or another compatible single user operating system, and b. the source code of the software cryptographic module does not require modification prior to recompilation to allow porting to another compatible single user operating system. (end quote) The key word here must be "recompilation". The language in an earlier version of the same guidance was this: b. the software of the cryptographic module does not require modification when ported (platform specific configuration modifications are excluded). which left the source code issue ambiguous, but in practice NIST/CSE did not validate any source code and told everyone verbally that source code could not be validated. I'd love to know how the OpenSSL team got NIST/CSE to change their mind. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
