-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marquess, Steve Mr JMLFDC
Sent: Thursday, 25 March 2004 7:47 AM
To: '[EMAIL PROTECTED]'
Subject: RE: FIPS modeGraeme Perrow wrote:
>1. In the OpenSSL FIPS FAQ (<http://oss-institute.org/fips-faq.html>), it
>says "Note that it is not compliant with the security policy of FIPS
>validated OpenSSL to use shared libraries." What exactly does this mean?
>Does it mean that your app cannot use shared libraries at all, or that the
>OpenSSL code can't be included in a shared library, or that the OpenSSL code
>can't be in a shared library by itself, or something else?NIST has some specific "power up self test" requirements that mean a
message digest of the executable must be checked at runtime. We could not
think of a portable and robust way to accomplish that, so the validation
will be confined to executables statically linked with libcrypto.a. Any
other shared library may be used by the referencing application, however.>2. Where exactly is the security policy document? The FAQ contains a link
>(<http://csrc.nist.gov/cryptval/140-1/1401val2003.htm>), but this lists a
>bunch of documents, none of which appears to be the correct one.The tense is wrong in the FAQ statement. When NIST awards the final
certificate it and the Security Policy will be posted at that URL (actually
the 2004 equivalent).The Security Policy is a document that defines the conditions for using
the validated component, in this case how to build the FIPS mode library
from source and how to build an application using that library. We have
a near final draft but are waiting for it to be blessed by the testing
laboratory and NIST before releasing to the general public. That document
is also written in present/past tense, one of the reasons we aren't
releasing it as NIST frowns on premature claims of validation.-Steve M.
Steve Marquess
DMLSS Technical Manager
JMLFDC, 623 Porter Street, Ft. Detrick, MD 21702
DSN 343-3933, COM 301-619-3933, FAX 301-619-7831
[EMAIL PROTECTED]
Title: Message
Hi
Steve,
I take
it that dynamically linking the FIPS OpenSSL into an executable means that the
FIPS certification is void for that application. So as you have stated,
static linking is required. However, if I'm producing
a security library that uses OpenSSL and I statically link the FIPS OpenSSL
into that security library but applications dynamically link against my security
library what does this mean as far as the FIPS certification is
concerned?
Regards,
Steven
- FIPS mode Ben Laurie
- Re: FIPS mode Mathias Brossard
- Re: FIPS mode Ben Laurie
- Re: FIPS mode Mathias Brossard
- Re: FIPS mode Ben Laurie
- Re: FIPS mode Michael Sierchio
- Re: FIPS mode Rich Salz
- Re: FIPS mode Ben Laurie
- FIPS mode Graeme Perrow
- RE: FIPS mode Marquess, Steve Mr JMLFDC
- Re: FIPS mode Steven Reddie
- Re: FIPS mode Ben Laurie
