According to the FIPS 1.2 Security Policy, Appendix A, Platform 8 cannot
be built as FIPS compliant because 'x84-64 asm' is a non-existent
platform. There is no such thing as x84. It should say 'x86-64 asm'.
Validation, from what I understand, only covers those platforms listed.
Strictly-speaking, x86-64 asm is not able to be built as
FIPS-compliant since it is not included in the list (despite supposedly
being a tested platform).
"2. Verify that the SHA1 HMAC digest of the distribution file (see
Appendix B)."
What exactly am I verifying? Either finish the sentence or remove the
word 'that'. Since this sentence is grammatically incorrect which leads
the reader to believe there is more to the step than mentioned, this
step is thus incomplete. Following a path of strict logic, Appendix A,
step 2's incomplete sentence makes it impossible to perform a FIPS
validated build for any platform.
The most critical step of FIPS validated builds in the past was to apply
OS-level security measures to fipscanister (e.g. make specific files
read-only to everyone but root/admin.). Is this done automatically now?
Or what section of the Security Policy did I skim too quickly over
that covers this? If it isn't covered in the Security Policy but needs
to be done, does that invalidate the FIPS validation?
I realize these are nitpicks. However, before I go through the massive
undertaking of putting together a FIPS build for Windows, I need to know
that these are non-issues. The last time I tried to do a FIPS build, it
wasted two weeks of time better spent doing other things.
--
Thomas Hruska
Shining Light Productions
Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]