On 30/09/2015 15:34, Steve Marquess wrote:
On 09/30/2015 09:18 AM, Jakob Bohm wrote:
...
Under the new "contribution agreement" scheme, publishing such items
early would also make them available to users ...
Publishing by someone else is fine, go for it. It would be nice to have
someone else publish FIPS module code, or validation information of any
kind for that matter. I think the validation process would be a lot less
capricious with less of the secrecy that is the current norm.
Point is that the contribution agreement contains a bug, whereby
anything not published by the OpenSSL Foundation in the UK is not
licensed to anyone.
Having a publication procedure for things marked "This does NOT
work in its current form, but we are giving you a license" works
around that bug to the benefit of anyone recovering the project
similar to how the original Australian project (SSLeay) was
recovered by Dr. Henson in the UK as OpenSSL.
Anything we (OpenSSL) publish carries with it an implied support
obligation, and that's the key problem with FIPS specific code: it can't
be "verified" in any meaningful sense other than with an official formal
FIPS 140-2 validation. The FIPS 140-2 requirements are more metaphysical
and ideological than technical, and what's worse those requirements are
applied very subjectively. By that I mean that on multiple occasions
I've had the experience of taking very similar or even precisely
identical code through parallel validations, with different end results.
The presence of FIPS specific code in an OpenSSL repo would imply some
sort of suitability for use with FIPS validations. No matter how many
disclaimers and caveats we attached to that, there would still be
vendors trying to use it to obtain validations and encountering
problems. Guess who they're gonna call?
That problem is avoided if we obtain an open source based validation --
one where the module is distributed in source code form -- that has been
successfully validated. That validation then speaks for itself.
...
We also have plans for a significant rewrite of the FIPS module
from its current form, and it's unlikely any third party submissions
would fit that vision.
Interesting, I wonder if those plans include my previously
posted ideas:
...
There are some issues with those ideas, but now is not the time to get
into details. We'll worry about it if and when we have an opportunity to
do a new open source based validation.
Agreed, just making sure they were posted somewhere you
could find them when the time comes.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
