One point of confusion for me, I read this email to say the OpenSSL FIPS Object Module v1.2 will(may?) not be usable beyond 2010. But in the first discussion link, I read that to say that the v1.2 Module will not be suitable for "private label" validations(which require changes to FIPS module code and/or build process).
Is it accurate to say that using the FIPS module as described in the 2nd bullet here: http://openssl.org/docs/fips/fipsnotes.html, with no changes and building as described on your platform, that it can be used as a validated cryptographic module beyond 2010? I beleive the above to be true, this email cast some doubt, however. Thanks. > Date: Thu, 18 Feb 2010 17:27:54 -0500 > From: marqu...@opensslfoundation.com > To: openssl-users@openssl.org > Subject: Post-2010 future of the OpenSSL FIPS Object Module? > > In the three years since the open source based FIPS 140-2 validated > OpenSSL FIPS Object Module became available many software vendors have > directly or indirectly utilized it to realize substantial cost and > schedule savings. We're glad to see the widespread benefits of these > hard won validations. > > Recently I've been contacted by many OpenSSL users and software vendors > concerned about upcoming changes announced by the CMVP (the government > agency responsible for FIPS 140-2 validations). Briefly stated, these > changes will mean that the current OpenSSl FIPS Object Module v1.2 may > not be usable beyond the current year (see > http://openssl.org/docs/fips/fipsnotes.html for some more discussion). > > Those concerns are not relieved when I respond that we have no plans at > present to pursue a new validation that would result in a OpenSSL FIPS > Object Module usable after 2010. However, that situation is due to a > lack of funding and not a lack of interest on our part. We will tackle > a new validation with enthusiasm at the first opportunity. > > The purpose of this open message is twofold: > > First, to note that we are actively soliciting sponsors for a post-2010 > FIPS 140-2 validation of the OpenSSL FIPS Object Module. We don't know > the precise cost for several reasons including the number of platforms > that would be covered, the degree of refactoring that would be > appropriate, or the resolution of several ambiguous areas in the draft > CMVP transition announcements. However, we're fairly comfortable that > the total cost would be in the range of US$50,000 to US$150,000. That's > a huge sum to us but a relatively modest amount for some major > corporations utilizing OpenSSL. > > Second, to note that I consider it highly probable that we will > eventually find funding for this effort, the real question is whether > that funding will materialize in time to obtain a new validation before > the current one becomes obsolete. The economics are simply too > compelling for any of a number of large software vendors that would > otherwise be faced with paying a comparable cost for commercial > proprietary licenses. One or more of these vendors will do the math > and, reluctantly, step forward to make it happen. The reluctance is > understandable because that vendor will effectively be carrying the > burden for the entire industry; that's one of the dilemmas of the open > source world. > > It would make more sense for multiple vendors to jointly sponsor the > cost. I encourage any potential sponsors to contact us with the amount > they would be willing to sponsor and the specific platforms they would > want included. We'll keep track of the total until we think we have > enough to launch a validation effort. then pull everyone together to > make it happen. > > As for timing, note that a six month timeframe to obtain a validation is > the most optimistic I would dare hope for. Nine or more months is more > realistic. One apparently uncomplicated validation we worked on took > thirteen months, and the very first open source based validation took > five years. It's not a speedy process and it can't be hurried once the > paperwork is submitted to the CMVP, and that's the stage that consumes > the most time. The sooner we can start the better. > > Thanks, > > -Steve M. > > -- > Steve Marquess > OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877-673-6775 > marqu...@opensslfoundation.com > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org
