On 03/08/2012 06:09 PM, Ashit Vora wrote: > Regarding the certificate, it will never be updated. Whenever the CMVP > updates a listing because of a change letter process (IG G.5 scenario 1) > they only update the website listing. They never update the certificate. > The understanding is that the website listing supersedes the > certificate. Please see CMVP FAQ > (http://csrc.nist.gov/groups/STM/cmvp/documents/CMVPFAQ.pdf) section > 5.9, "If the CMVP validation web site does not match the posted certificate, > which is valid?": > / > When a module is validated, an entry is posted on the CMVP web site > valuation list along with a softcopy of the initial printed validation > certificate. The hardcopy validation certificate is for informational > purposes only. The CMVP web site validation list is the official source > of validation information in reference to the module. If changes are > made to the module that would change the referenced certificate > information, only the web site validation list is updated./ > > Also note that the security policy that is currently linked to on the > website only mentions 1.2.3 as the validated module. There is no mention > 1.2.
It is mentioned: "...The v1.2.3 Module can be used in any environment supported by the earlier v1.2 Module.". I can see where you may have been confused by that and the statement "Note that the OpenSSL FIPS Object Module v1.2.3 completely replaces the earlier OpenSSL FIPS Object Module v1.2.", but those refers to the functional completeness of the modified module (the fact that there is no OE for which only an earlier revision works); *not* the legitimacy of the original validation. > All of this points to the conclusion that 1.2 is not FIPS validated > currently. Sorry, I still disagree. Of course the certificate isn't updated, that was my point (and now no individual certificate is issued at all). A change letter mod is an update to an existing validation, not a new validation. Only the new changed element(s) are considered and previous validation review and testing is not repeated. For instance, the most recent mod was to add two new platforms. None of the prior OE testing, or source code or document review was repeated, because all of that prior testing remains valid. Ditto for the earlier mods. By your theory all of the hundreds of thousands (millions...?) of deployed instances of the 1.2, 1.2.1, 1.2.2 modules have retroactively become illegitimate -- a significant fraction of all deployed FIPS 140-2 validated software. I do not believe that is the case and I leave it to you to prove otherwise by filing an objection with the CMVP (yes, anyone can challenge the legitimacy of our validations and that was in fact done a number of times for the early OpenSSL FIPS Object Module Validations). > If the intention was to not remove 1.2, I would highly > recommend contacting your FIPS laboratory and getting it changed. It > would be quite simple to change this. My suspicion is that when the > laboratory submitted the change letter they forgot to include 1.2 in > the list of changes required to the validation. As such CMVP removed > 1.2 listing. We did not "forget" anything, for any of the change letter mods (via multiple labs, incidentally). The updates were all carefully designed to be strictly cumulative, differing only in the addition of new OEs with newer revisions subsuming but not invalidating earlier ones. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.net ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
