David Stafford wrote:
What are the issues, if any, with using the "FIPS module" after the
end of 2010 ?
Does the certificate number 1051 become invalid ?
My best guess at this point is that the OpenSSL FIPS Object Module v1.2
(aka the #1051 validation) proper remains usable, as that exact and
specific module. However, "private label" validations of that same
source code become much more difficult, i.e. that code base will no
longer be directly suitable for the rubber stamp validations so many
commercial vendors have done under their own names.
<rant>
I find it sad and ironic that many vendors are willing to fund private
revalidations of the same code, over and over again, yet no one is
willing to support the open source validations that make those possible
in the first place. The total amount invested that way across the
industry (and hence indirectly paid for by taxpayers, as FIPS validated
products are or primary interest to the government market) dwarfs the
cost of a single open source based validation that everyone could use.
</rant>
We (the OSF) are part of the problem too, we do private label
validations for pay (shameless plug: very cost effectively as we'd had a
lot of practice). Such work doesn't improve the publicly available
OpenSSL product but it does help pay the rent. We'd much rather work on
the open source software, however.
-Steve M.
--
Steve Marquess
The OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
