Hi Steve, I want my software be FIPS 140-2 validated, not just experiment with source. The Security Policy document point me to use openssl-fips-1.2.3.tar.gz. Should I remove openssl-0.9.8r.tar.gz?
Regards, Tatiana 2011/7/15 Steve Marquess <marqu...@opensslfoundation.com> > ** > > Hi, > > > > I'm using openssl (*openssl-0.9.8r.tar.gz *) in a project, and now we > > want certificate the software with FIPS certification, my question is > > if we must have *openssl-fips-1.2.3.tar.gz* to use OpenSSL FIPS > > Object Module? In * openssl-0.9.8r.tar.gz* project we already some > > fips files. What is the difference between > > *openssl-fips-1.2.3.tar.gz* and *openssl-0.9.8r.tar.gz*? > > > > In User Guide I read the following: > > > > "The FIPS Object Module is the special monolithic object module built > > from the special source distribution identified in the Security > > Policy. It is not the same as the OpenSSL product or any specific > > official OpenSSL distribution release." > > > > If you just want to experiment with the source then you will find code > relevant to FIPS 140-2 relevant functionality in most recent distributions. > > If you want to build a FIPS module and claim that it is FIPS 140-2 > validated (n.b.: validated not certified), that is something else entirely. > To make that claim you must follow the procedures outlined in the relevant > Security Policy document (for instance, > http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1051.pdf) > where you will see the source code you must start with is uniquely > identified. > > -Steve M. > > -- > Steve Marquess > OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877-673-6775 > marqu...@opensslfoundation.com >
