Graeme Perrow wrote:
>1. In the OpenSSL FIPS FAQ (<http://oss-institute.org/fips-faq.html>), it
>says "Note that it is not compliant with the security policy of FIPS
>validated OpenSSL to use shared libraries." What exactly does this mean?
>Does it mean that your app cannot use shared libraries at all, or that the
>OpenSSL code can't be included in a shared library, or that the OpenSSL code
>can't be in a shared library by itself, or something else?
NIST has some specific "power up self test" requirements that mean a
message digest of the executable must be checked at runtime. We could not
think of a portable and robust way to accomplish that, so the validation
will be confined to executables statically linked with libcrypto.a. Any
other shared library may be used by the referencing application, however.
>2. Where exactly is the security policy document? The FAQ contains a link
>(<http://csrc.nist.gov/cryptval/140-1/1401val2003.htm>), but this lists a
>bunch of documents, none of which appears to be the correct one.
The tense is wrong in the FAQ statement. When NIST awards the final
certificate it and the Security Policy will be posted at that URL (actually
the 2004 equivalent).
The Security Policy is a document that defines the conditions for using
the validated component, in this case how to build the FIPS mode library
from source and how to build an application using that library. We have
a near final draft but are waiting for it to be blessed by the testing
laboratory and NIST before releasing to the general public. That document
is also written in present/past tense, one of the reasons we aren't
releasing it as NIST frowns on premature claims of validation.
-Steve M.
Steve Marquess
DMLSS Technical Manager
JMLFDC, 623 Porter Street, Ft. Detrick, MD 21702
DSN 343-3933, COM 301-619-3933, FAX 301-619-7831
[EMAIL PROTECTED]
