Brad House wrote:
Ideally (in my view anyway), we'd have some sort of announcement as to
where the FIPS code is being evaluated, then have a couple of weeks to
a month to hammer at it before it's sent off to the (much more costly,
and much more involved) CMVP validation.
I like the idea of a peer review period. Personally I'd be interested
in providing portability patches as we would like to support
Linux, FreeBSD, OpenBSD, MacOSX (intel and ppc), Windows (32bit and
64bit), AIX 32bit and 64bit POWER, HPUX (parisc), SCO OpenServer 5.0.7
and 6.0.0, Solaris (SPARC), and I'm sure I forgot something there.
Ok, guys, let me point out a harsh reality here. As noted in an earlier
comment, FIPS 140-2 validation doesn't mesh all that well with the open
source world.
Validation testing is expensive. The direct costs alone -- to pay the
test lab, for CMVP fees, for hardware and/or test lab travel expenses --
can easily approach US$50,000 for a single validation. That's not
including a single dime for the hundreds of hours of labor by OpenSSL
and OSSI participants.
So, each validation requires financial sponsorship. The financial
sponsors are all interested in helping to support open source in general
(otherwise they'd just do a "private label" validation for less cost and
hassle), but they do have specific requirements and deadlines. They are
paying the bill so their needs are the first priority for our efforts
and attention. If you want that same level of attention then feel free
to pony up (John Weathersby, [EMAIL PROTECTED], 601-427-0152 is the
man to call).
I have a full time on-site day job, for clients who pay me on a regular
basis. They get my attention during the day. I also work evenings and
weekends for nil to minimal sporadic compensation, the same is true for
Steve Henson and the other OpenSSL team members who have done all the
heavy lifting with the source code. Anything that's left over I'm happy
to devote to the OpenSSL user community at large. Unfortunately,
there's just not much of me left over :-)
Anyone who wants to volunteer their time to help out, please drop me a
line. Depending on your talents and level of commitment there's
probably some way you can contribute, on future validations if not this
one. Let me warn you first that the work is tedious, boring,
frustrating, and mind-bendingly surrealistic. There is a long "you're
kidding, right?" and "WTF?" learning curve...
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
