On 8 Oct 2007 10:12:58 -0700, Stephan Somogyi wrote: > At 02:11 +1300 09.10.2007, Peter Gutmann wrote: > >> But if you build a FDE product with it you've got to get the entire product >> certified, not just the crypto component. > > I don't believe this to be the case. > > FIPS 140(-2) is about validating cryptographic implementations. It is > not about certifying entire products that contain ample functionality > well outside the scope of cryptographic evaluation. That's more of a > Common Criteria thing.
Yes, but an FDE product built on the OSSL FIPS module would not likely meet the FIPS 140-2 check box, as there is potentially more FIPS 140-2 relevant functionality in the FDE product beyond what was validated in the OSSL module, such as, say, the whole key life cycle for the FDE product. That does not necessarily mean all of the FDE product is FIPS relevant, so perhaps the FIPS relevant functionality in the FDE product could be self-contained and validated by itself, or perhaps the whole FDE product could be validated and the irrelevant functionality just excluded from the FIPS requirements, etc. (As Gutmann says though, vendors sometimes successfully employ a bit of hand-waving here, so you never quite know what will satisfy the FIPS check box.) > At 14:04 +0100 08.10.2007, Ben Laurie wrote: > >> ? OpenSSL has FIPS 140. > > OpenSSL FIPS Object Module 1.1.1 has FIPS 140-2 when running on SUSE > 9.0 and HPUX 11i, according to > > <http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2007.htm#733> > > In the context of a conversation about whether something formally has > FIPS validation or not, the details are important. Yes, the details are important. The OSSL FIPS module was tested on those platforms, but is vendor affirmed on other platforms, assuming the module meets the vendor affirmation requirements described in the FIPS 140-2 implementation guidance on a given "other" platform. -Andrew --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
