> Hi, > > Does the FIPS module certification is missed if the fipscanister > module is compiled to a configuration (architecture, compiler version > etc) different from those listed on OpenSSL security policy? Our > concern is if a change to something on the build tools like compiler > version or architecture can invalidate the certification.
That's a very general question, so I can't give a specific answer. It depends. A rough rule of thumb is that if you create a FIPS module (fipscanister.o) on a formally tested platform (O/S and processor as listed in the Security Policy), and if that binary file when copied as-is to another platform executes successfully, then you are *generally* justified in claiming it as validated. The Implementation Guidance document (http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf) is a more official discussion. See in particular section G.5. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct [email protected]
