According to the FIPS 1.2 Security Policy, Appendix A, Platform 8 cannot be built as FIPS compliant because 'x84-64 asm' is a non-existent platform. There is no such thing as x84. It should say 'x86-64 asm'. Validation, from what I understand, only covers those platforms listed. Strictly-speaking, x86-64 asm is not able to be built as FIPS-compliant since it is not included in the list (despite supposedly being a tested platform).

"2. Verify that the SHA1 HMAC digest of the distribution file (see Appendix B)."

What exactly am I verifying? Either finish the sentence or remove the word 'that'. Since this sentence is grammatically incorrect which leads the reader to believe there is more to the step than mentioned, this step is thus incomplete. Following a path of strict logic, Appendix A, step 2's incomplete sentence makes it impossible to perform a FIPS validated build for any platform.


The most critical step of FIPS validated builds in the past was to apply OS-level security measures to fipscanister (e.g. make specific files read-only to everyone but root/admin.). Is this done automatically now? Or what section of the Security Policy did I skim too quickly over that covers this? If it isn't covered in the Security Policy but needs to be done, does that invalidate the FIPS validation?


I realize these are nitpicks. However, before I go through the massive undertaking of putting together a FIPS build for Windows, I need to know that these are non-issues. The last time I tried to do a FIPS build, it wasted two weeks of time better spent doing other things.

--
Thomas Hruska
Shining Light Productions

Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to