On Wed, Sep 09, 2009, Thor Lancelot Simon wrote: > On Sat, Aug 29, 2009 at 05:34:04PM -0400, Steve Marquess wrote: > > That this wasn't the obvious approach from the very beginning speaks > worlds about the limitations of the ENGINE interface.
The actual story of why FIPS is the way it is is rather different. I think a few home truths are in order on this and some related issues. I largely stay in the back ground and just get on with development. I'm getting painfully aware of one of the consequences of that: some think the work is magically done by the pixies using fairy dust and take it for granted. Sometimes it is worse than that: I get private messages from some effectively demanding free consultancy as if it is their right. Anyone not aware of my contributions to the OpenSSL project should look at many of the source files, CHANGES and the commit lists. I've put a *huge* amount of effort into this project since the beginning over many years most of it unfunded. Back to FIPS... I wasn't involved with the FIPS project until after 1.0, that used OpenSSL 0.9.7 many years ago... I first got really involved when some ultra urgent fixes (unfunded of course) were needed for the 1.1 validation at a point where the future of the whole thing was in doubt. I stepped in working almost round the clock while I was supposed to be on vacation. I suspect if it wasn't for that there wouldn't even be a FIPS project to discuss. That's just history though. I can comment on why 1.2 is the way it is. The current design speaks volumes for the level of funding and the time available which forced a certain model. The actual project for the part I was involved in (the 1.2 update) was originally intended to merely resolve all the issues with OpenSSL 0.9.7 and nothing more. I decided that covering a version of OpenSSL that was years out of date was not really the way to go. So I added FIPS support to 0.9.8 instead largely subsidised by my own time and out of my own pocket. Quite a few other people have also donated their own time and resources to keep the FIPS project alive as well. Major infrastructural changes were not possible under those contraints. If funds were available for new validations I could make major revisions to the architecture. If not then far less will be done: I've got to pay the bills and eat like everyone else so this stuff is assigned an appropriate priority. After all most FIPS 140-2 applications are designed to make money out of government contracts that require compliance The same goes for the rest of OpenSSL. The number of organisations (some multi-nationals and government departments included) that critically rely on OpenSSL is very large indeed. It shouldn't be asking too much for some more people to occasionally put some funding back in. There are a few exceptions who have kindly funded additions to OpenSSL to which we are very grateful, but they are alas just that: exceptions. Anyone interested should contact Steve Marquess, me or the OpenSSL team, or read my signature ;-) Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
