Thanks, that makes things a lot clearer for me. Not sure what we will do. Isaac
-----Original Message----- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Steve Marquess Sent: Donnerstag, 26. Februar 2015 14:18 To: openssl-users@openssl.org Subject: Re: [openssl-users] End of the line for the OpenSSL FIPS Object Module? On 02/26/2015 07:04 AM, Isaac Hailperin wrote: > Steve, > > thank you for alerting us. Do I understand correctly that by > "platform", not a general OS (like "Linux", "Solaris") on a specific > hardware (sparc, x86, ...) is meant, but a very specific distribution > release, like "Ubuntu 14.04", or "CentOS 7.0", on e.g. x86? This would > mean that there would be no fips compliant openssl build possible on > e.g. a future "CentOS 8.1"? Note the pedantically correct term is "FIPS 140-2 validated", not "FIPS compliant". But yes, correct. > We are currently using the fips module on Solaris 10, and have plans > to use it on Linux, probably RHEL 7.X, but depending on the time in > the future, that could well be RHEL 8.X. "Platform" -- technically "Operational Environment" or "OE" -- is a rather peculiar concept in the context of FIPS 140-2 validations, and unfortunately one that has never been clearly defined (also one that changes over time due to ever shifting CMPV "guidance"). Based on observation and the conventional wisdom of the FIPS validation community, I'll attempt an oversimplified, unofficial, non-authoritative, non-definitive, and thoroughly worthless definition: For Level 1 validations, very roughly speaking, an OE is an operating system name (e.g. "Ubuntu") and the first two dot-rev levels of the version number (e.g. "14.04" for "14.04.01", "14.04.02", etc.), *and* a "processor architecture". All x86-64 processors with AES-NI (again roughly speaking) are the same "processor architecture", as are all those without (and ditto for ARMv7 and NEON). 32 and 64 code comprise separate "platforms", and a given OS+OS version+processor architecture+address bit length "platform" running "bare-iron" constitutes a different "platform" from the exact same software+hardware combination running virtualized under each distinct brand name and version of hypervisor environment. So for instance Ubuntu 14.04 64bit on Intel Xeon E3-1220 under Vmware ESXi 5.1 is a different "platform" from Ubuntu 14.04 64bit on Intel Xeon E3-1220 under Vmware ESXi 5.5 I've left out a number of known exceptions, complications, and anomalies... -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
