Steve, Thank you very much for your response. > If you can get that lab to publish the details, please do :-)
I will check. Thanks, John On Thu, Dec 13, 2012 at 7:53 AM, Steve Marquess < marqu...@opensslfoundation.com> wrote: > On 12/12/2012 06:17 PM, John Corbin wrote: > > Is there a document that lists the appropriate 800-56a standards the > > OpenSSL FIPS module conforms to and for each applicable section listed in > > the 800-56a standard as conforming, is there a listing for all statements > > that are not "shall" (that is, "shall not", "should", and "should not")? > If > > the included functionality is indicated as "shall not" or "should not" in > > the 800-56a standard, then is there a document providing rationale for > why > > this will not adversely affect the security policy implemented by the > > OpenSSL FIPS module. Is any omission of functionality related to "shall" > or > > “should” statements described? > > > > I have looked at the document OpenSSL FIPS Object Module Version 2.0.2 > and > > looked at table 4a but did not find a detailed discussion on how it > > satisfies the 800-56a standard. > > There is no such document. We have already published what we can. In the > course of that validation (#1747) we responded to many questions from > the test lab about SP 800-56A, but that correspondence is strewn across > many months. That test lab presumably has an internal analysis summary > but if so it has not been made available to us or to the public. > > Note it is the function of the accredited test lab to perform a review > of all aspects of FIPS 140-2, in particular the Derived Test > Requirements, but the test lab is not obligated to release the details > of such assessments, and in my experience none of them do. Those details > are treated as a trade secret. The FIPS 140-2 validation process is not > an open one; we've done what we could to open it up but there is much > that the prospective vendor seeking a new independent validation must > revisit. > > I will note that, to the extent I have been privy to details on that > type of internal test lab analysis, different test labs often take very > different approaches. So an analysis done by lab A may be of minimal use > to lab B. The same basic OpenSSL FIPS Object code has now been validated > many times by multiple test labs, so we know that there are one or more > correct answers to every question that arises in the course of a > validation, but those individual answers are not necessarily consistent > from one validation to another. You'll need to work with your test lab > to develop your own set of internally consistent answers. > > If you can get that lab to publish the details, please do :-) > > -Steve M. > > -- > Steve Marquess > OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877 673 6775 s/b > +1 301 874 2571 direct > marqu...@opensslfoundation.com > marqu...@openssl.com >
