It's still a question/answer verification system -- why can't they just submit all the questions and answers in one batch, and then submit bogus questions and answers in another batch, and then intersperse them in the third batch?
A check should not take forever and a freakin' day. -Kyle H ----- Original Message ----- From: "Steve Marquess" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, September 08, 2006 4:31 AM Subject: Re: OpenSSL FIPS 140 Support > Brad House wrote: > > As far as I am aware, the 1.1 tarball won't be released until validation > > is complete, and the 1.0 tarball has been removed because the validation > > has been temporarily 'suspended'. > > > > Correct on both counts (current deployments based on 1.0 can remain in > use). The release of 1.1 is further complicated by the recent signature > forgery problem which will require the entire test suite drill to be > repeated, which will mean further indeterminate delays. > > That bug shows where the open source development model and the FIPS > 140-2 validation process are not a good fit. The lead time for > correcting and announcing problems in OpenSSL code is usually measured > in days. The lead time for validating changes is measured in many > months. Closed source proprietary vendors of course have an enormous > incentive to skip the announcement step :-) > > -Steve M. > > -- > Steve Marquess > Veridical Systems, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > 301-524-9915 cell > 301-831-8447 land/fax > [EMAIL PROTECTED] > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
