Brad House wrote:
I happened to find this through google:

http://www.oss-institute.org/index.php?option=com_content&task=view&id=208&Itemid=123

Does it mean openSSL is again FIPSed?

Well, considering the link to the security policy doesn't work, I'd
say not.  The version that was previously up was 1.0 ... it appears
as though the link states a different version though.

The original OpenSSL FIPS Object Module validation (certificate #642, see http://csrc.nist.gov/cryptval/140-1/140val-all.htm#642 <http://csrc.nist.gov/cryptval/140-1/140val-all.htm#642>) has been in "not available" status for some time. The CMVP defines that status thusly:

"If a validation certificate is marked /_not available_/, the module is no longer available for procurement from the vendor identified on the certificate, but may still be retained and used to demonstrate compliance to FIPS 140-1 or FIPS 140-2."

OSSI and the OpenSSL team submitted a revised product months ago for the lengthy re-evaluation process, a process that was delayed even further by the PKCS padding flaw that affected many FIPS-140 validated products. This week we received a draft validation certificate, a step that usually indicates the final approval is imminent. The new release will be designated version 1.1.1. We will immediately begin work on a follow-on source based validation.

The long lead time for CMVP evaluations is clearly a major problem for prospective users of FIPS-140 validated OpenSSL software. Thanks to recent financial sponsorship OSSI is close to launching an initiative to perform "rolling" binary validations on a periodic basis -- every six months initially -- that can be the basis for platform specific "vendor affirmed" binary modules that can be made to order for application vendors unable to wait for the source based product. We hope to be announcing the details soon.

-Steve M.

--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to