I dunno who I'm supposed to give feedback to, but this format of FIPS announcement needs some work.
First, the subject line doesn't say anything about the version of the FIPS module that has been validated. (In this case, it should be something like "OpenSSL FIPS 140-2 validation for module v1.2".) My reason for suggesting this is twofold: the original plan called for multiple versions going through validation, and so that the press release can be used for press without any additional investigation by a reporter, and without causing confusion between the multiple fips module versions by a reader. Second, it doesn't describe which version of the OpenSSL API that the newly-validated module supports. (in this case, it supports v0.9.8 (and requires 0.9.8i onward), but I dunno about 0.9.7?) Providing compatibility with a version bump in the API is significant enough that it should be called out in the press release. Third, a statement that the result of the validation is only validated if it's built and used in accordance with the security policy would likely be good as well. I don't really have a rationale for this one, except that it reminds people that there is a security policy that must be followed for FIPS-using applications. Thanks for your time! -Kyle H On Tue, Nov 18, 2008 at 10:40 AM, OpenSSL <[EMAIL PROTECTED]> wrote: > Good news for developers and vendors of software for the U.S. and > Canadian government market where FIPS 140-2 validated cryptography is > required. > > The "OpenSSL FIPS Object Module", a software component compatible with > the OpenSSL API, has been FIPS 140-2 validated (see certificate #1051 > and Security Policy document at > http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2008.htm). > The source distribution that generates this validated module is at > http://www.openssl.org/source/openssl-fips-1.2.tar.gz. > > This validation means that the referenced source distribution can be > used to create a binary module on a wide range of platforms, in a form > compatible with OpenSSL 0.9.8, for enabling FIPS 140-2 validated > cryptography in applications. > > Please see the Security Policy document for details on how to create a > validated module for your platform and application. Other supporting > information will be made available at http://www.openssl.org/docs/fips/ > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
