On 11/14/2012 04:21 PM, mclellan, dave wrote: > Thanks for that clarification. It's not so cut and dry, I see. > > About this: "... and don't even bother to build fipscanister.o"... Then on > what grounds could they claim FIPS compliance?
There is a common confusion between "FIPS compliant" (implying FIPS 140-2) and FIPS 140-2 validated. Only the latter term really has a concrete meaning, namely that the specific cryptographic implementation has been formally tested and listed at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm. To even further muddy the waters, a FIPS 140-2 validated module may also support non-approved modes of operation where any arbitrary algorithms may be used, and (as already noted) even in the FIPS approved mode of operation non-approved cryptographic algorithms like MD5 can be used in specific circumstances. I've been told by many software vendors that end use customers often don't deploy their products with the FIPS 140-2 approved mode of operation enabled. If you're selling a product containing cryptography to the U.S. or Canadian governments, policy says it should be FIPS 140-2 validated, not "compliant". Obviously a lot of crypto used in that arena isn't, but that's the formal policy. At other levels actual enabling of FIPS 140-2 may also be required. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
