Brad House wrote:
I happened to find this through google:
http://www.oss-institute.org/index.php?option=com_content&task=view&id=208&Itemid=123
Does it mean openSSL is again FIPSed?
Well, considering the link to the security policy doesn't work, I'd
say not. The version that was previously up was 1.0 ... it appears
as though the link states a different version though.
The original OpenSSL FIPS Object Module validation (certificate #642,
see http://csrc.nist.gov/cryptval/140-1/140val-all.htm#642
<http://csrc.nist.gov/cryptval/140-1/140val-all.htm#642>) has been in
"not available" status for some time. The CMVP defines that status thusly:
"If a validation certificate is marked /_not available_/, the module is
no longer available for procurement from the vendor identified on the
certificate, but may still be retained and used to demonstrate
compliance to FIPS 140-1 or FIPS 140-2."
OSSI and the OpenSSL team submitted a revised product months ago for the
lengthy re-evaluation process, a process that was delayed even further
by the PKCS padding flaw that affected many FIPS-140 validated
products. This week we received a draft validation certificate, a step
that usually indicates the final approval is imminent. The new release
will be designated version 1.1.1. We will immediately begin work on a
follow-on source based validation.
The long lead time for CMVP evaluations is clearly a major problem for
prospective users of FIPS-140 validated OpenSSL software. Thanks to
recent financial sponsorship OSSI is close to launching an initiative to
perform "rolling" binary validations on a periodic basis -- every six
months initially -- that can be the basis for platform specific "vendor
affirmed" binary modules that can be made to order for application
vendors unable to wait for the source based product. We hope to be
announcing the details soon.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]