Regarding the certificate, it will never be updated. Whenever the CMVP updates a listing because of a change letter process (IG G.5 scenario 1) they only update the website listing. They never update the certificate. The understanding is that the website listing supersedes the certificate. Please see CMVP FAQ ( http://csrc.nist.gov/groups/STM/cmvp/documents/CMVPFAQ.pdf) section 5.9, "If the CMVP validation web site does not match the posted certificate, which is valid?": * When a module is validated, an entry is posted on the CMVP web site valuation list along with a softcopy of the initial printed validation certificate. The hardcopy validation certificate is for informational purposes only. The CMVP web site validation list is the official source of validation information in reference to the module. If changes are made to the module that would change the referenced certificate information, only the web site validation list is updated.*
Also note that the security policy that is currently linked to on the website only mentions 1.2.3 as the validated module. There is no mention 1.2. All of this points to the conclusion that 1.2 is not FIPS validated currently. If the intention was to not remove 1.2, I would highly recommend contacting your FIPS laboratory and getting it changed. It would be quite simple to change this. My suspicion is that when the laboratory submitted the change letter they forgot to include 1.2 in the list of changes required to the validation. As such CMVP removed 1.2 listing. Thanks! -Ashit On Thu, Mar 8, 2012 at 5:32 PM, Steve Marquess < marqu...@opensslfoundation.com> wrote: > On 03/08/2012 05:12 PM, Steve Marquess wrote: > > On 03/08/2012 04:05 PM, Ashit Vora wrote: > >> Thanks Steve. This makes sense (i.e. newer versions subsuming older > >> versions). > >> > >> However given that 1.2 is no longer listed on the NIST website, that > >> version can no longer be considered FIPS validated. This is an issue for > >> deployed products that have depended on v1.2 for FIPS compliance. > > > > Well, I disagree. Though I will be the first to note that only the CMVP > > is in a position to make any authoritative pronouncements. > > I should also point out that the certificate still references the > original revision number 1.2: > http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt1051.pdf > > -Steve M. > > -- > Steve Marquess > OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877 673 6775 s/b > +1 301 874 2571 direct > marqu...@opensslfoundation.net >
