Hello everyone! I work for a company that uses OpenSSH/OpenSSL to remotely support systems we've sold. Since some of our clients are US Dept. of Defense hospitals, our access to these servers needs to comply with a whole range of requirements and standards. At this point it's looking like the SSH daemon needs to be FIPS 140-2 compliant, and the only package that is certified is F-Secure.
The other option is for CliniComp to sponser getting OpenSSH/OpenSSL through the certification process, and that's what I'm exploring. I'd really appreciate knowing what the core developers think about this, and how willing they would be to assisting in the process. I know there will need to be a fair amount of documentation, and there is no subsitute for first-hand knowledge. Also, it seems pretty clear that at least some code changes will be needed including self-tests, a new prng, and work in the key generation & validation modules. While we (CliniComp) do have some resources including technical writers and programmers, we certainly do not have the expertise in cryptography to just do it all ourselves. And if this does happen, part of the point would be for the necessary changes to be rolled back into the standard package. Please understand that right now I'm just exploring possibilities, but the other option for us is to spend a lot of money on F-Secure licenses. I would very much appreciate hearing your thoughts and from anyone else interested in making this happen. Thanks, --Nathan ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
