On Thu, Sep 10, 2009 at 06:10:27PM +0200, Dr. Stephen Henson wrote: > On Wed, Sep 09, 2009, Thor Lancelot Simon wrote: > > > On Sat, Aug 29, 2009 at 05:34:04PM -0400, Steve Marquess wrote: > > > > That this wasn't the obvious approach from the very beginning speaks > > worlds about the limitations of the ENGINE interface. > > The actual story of why FIPS is the way it is is rather different. I think a > few home truths are in order on this and some related issues.
I'm not sure what the story of how the current FIPS mode was implemented brings to bear on the question of whether the limitations of the ENGINE interface made it unduly hard. I've been involved in two FIPS validations of vendor versions of OpenSSL. I think one of them may have been one of the first ones ever done. I am aware of how much work you must have done to get things even into the state they are in today -- though I certainly didn't know it was unfunded. On the other hand, I think at this point it is not unreasonable to talk about how design decisions made elsewhere in OpenSSL in the past (and even in the not-so-distant past) makes this kind of systematic change harder. >From my point of view, if I were to set out to do a de novo FIPS compliant version of OpenSSL today, the largest obstacle would be the current ENGINE interface. With a more capable interface to ENGINEs, durable FIPS support would be much easier. I'm sorry if I've offended you by saying so, but I can't quite see why -- and I didn't even bring up the subject of why FIPS isn't an ENGINE in this discussion, one of the OpenSSL developers did! On what is largely a separate topic, but an important one: You complain that commercial entities use OpenSSL but don't fund it. From my point of view, it is not hard to understand why: it is usually far easier to contribute code or development time than cash, but every time I, at least, have proposed contributing any kind of code to OpenSSL which would involve a structural change, it's been either ignored or shot down by the OpenSSL developers. In several cases developers have privately told me they were working on somethng else better than what I was offering to contribute -- but then that code mysteriously never showed up in the tree. So what happens? Other people responsible for development of vendor versions of OpenSSL at other commercial shops presumably end up in the same situation I do: with trees full of private modifications and enhancements and a great deal of frustration towards OpenSSL itself. At this point, having gone hat-in-hand to my management a number of times asking if I could have my team write (or rewrite) this or that for contribution to OpenSSL, and then having found that OpenSSL wasn't interested or, often, even responsive, I have basically no credibility left to ask that we contribute _anything_ -- certainly not cash which will presumably be spent on development priorities which share little with ours. This is not a good situation. Thor ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org