On Mon, Dec 27, 2010 at 6:47 AM, Henrik Grindal Bakken <[email protected]> wrote:
3) obtaining your own from-scratch validation starting with the 1.0.0 baseline. Good luck with that, you have a long row to hoe.We're going for 3), but as I said, our crypto module is not OpenSSL, it's the entire product, so the OpenSSL FIPS Object Module isn't interesting for me. What is interesting, however, are the self-tests.Incidentally, unless you're seeking a Level 2 validation for a non-CC certified environment you'll regret defining the crypto module boundary to include your entire application.I am seeking a level 2 validation. It's not really an application, it's a hardware device.
Because the 1.0.x releases don't have any support for FIPS, they don't implement the FIPS-mandated tests. OpenSSL can't help with prevalidation now, since its FIPS-validated mode fails new validation standards compliance in some manner. You're probably already dealing with having to fork the code (to prevent any use of non-FIPS-approved algorithms when your hardware is operating in FIPS-validated mode). This suggests that your best option might be to import the self-tests from fips-1.2.2 into your own fork. -Kyle H
smime.p7s
Description: S/MIME Cryptographic Signature
