hello, from my understanding, the US government can not buy a FIPS 140-2 compliant product after 2010. But my employer spoke to someone who said they can still purchase a FIPS 140-2 validated product as long as they are "transitionally" compliant by only using cryptographic algorithms that have sufficient strength and follow the guidlines in: http://csrc.nist.gov/publications/drafts/800-131/draft-800-131_transition-paper.pdf
- SHA-1 will not be approved for digital signature generation but will be approved for other uses including digital signature verification, HMACs, KDFs, RNGs, and the approved integrity technique specified in Section 4.6.1 of FIPS 140-2; Since the FIPS module digest is generated with SHA1, i do not know if this will automatically make this issue dead in the water. Has anyone heard of this or dealt with this, or has made OpenSSL FIPS compliant for post-2010 (with the understanding it has not been validated for compliance). if this has been discussed already, i apologize. i could not find anything on this issue, just on whether or not there will be a FIPS 140-3 validation in the future for OpenSSL. thank you very much, -=- adam grossman ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
