Brad House wrote:
Ok, guys, let me point out a harsh reality here. As noted in an earlier
comment, FIPS 140-2 validation doesn't mesh all that well with the open
source world.
Validation testing is expensive. ...
...
Anyone who wants to volunteer their time to help out, please drop me a
line. Depending on your talents and level of commitment there's
probably some way you can contribute, on future validations if not this
one. Let me warn you first that the work is tedious, boring,
frustrating, and mind-bendingly surrealistic. There is a long "you're
kidding, right?" and "WTF?" learning curve...
We're a paying OSS member (or at least we were, not sure if we were invoiced
for a renewal this year). Also, we have made a financial contribution directly
to Dr Steven Henson because of his efforts, we understand he is poorly
compensated for all that he does. We're trying to help, but nothing more
has been asked of us, we'd also like to contribute on a development or at least
QA
level as well, I just don't understand why this has been taken negatively.
Brad, sorry, I didn't mean to come across as negative. The point I was
trying to make is that once a validation starts I can't afford to delay
it to deal with problems that are discovered in the already frozen
baseline, unless those problems are critical to the requirements of the
paying sponsors. Hence we don't solicit general public input for
in-process validations. Reports of problems with already validated
versions are welcome and I think Dr. Henson in particular has been very
proactive in addressing those issues in the trunk for future
validations. Reports of problems with the submitted code for pending
validations are also welcome with the understanding that we almost
certainly won't be able to effect any change for that validation.
I'll plead guilty to the charge of inadequate communication. For most
of the duration of the first ground-breaking validation, a five year
ordeal, I was urged to minimize unnecessary public commentary while the
CMVP community sorted out some difficult policy and process issues with
this strange new open source thing. That sorting out has largely taken
place and I now have no excuse for not being more forthcoming. I'll try
to do better.
The best way to provide feedback on the code for future validations is
to pull and test the head of OpenSSL-fips-0_9_8-stable. Problems found
and fixed there will be included in future validations, as well as
eventually merged into the main development trunk.
As an OSSI member you're also welcome to contract OSSI directly with any
questions, I think we're pretty good at being responsive to those
contributors. And Steve Henson is responsive to everyone.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
