Re: Post-2010 future of the OpenSSL FIPS Object Module?
Michael Sierchio wrote: Forgive my ignorance, but are you a 501(c)3? Can you communicate that in a signature line so it's obvious? The OpenSSL Software Foundation (OSF) is *not* a non-profit corporation. It was created for the purpose of supporting the commercial activities of OpenSSL team members (some of whom earn all their income from OpenSSL related consulting work). We did consider the benefits of non-profit status, but after legal consultation concluded that those benefits were nil in our specific circumstances. Achieving non-profit status under the U.S. tax code takes a long time, is expensive, and involves restrictions on the activities of the non-profit entity. Our primary focus is providing paid services to the commercial software industry and not the solicitation of charitable contributions from the world at large. We believe that via the OSF we provide cost effective solutions to hard-nosed commercial enterprises, and non-profit status is irrelevant to such potential sponsors and customers (roughly speaking any expenses a for-profit corporation incurs are "tax deductible" by default). We don't expect nor are we soliciting contributions from individuals (I should note that if any charitable contributions are offered -- it happens very rarely -- the OSF will pass through 100% of any such donations directly to OpenSSL team members). Commercial enterprises can support us, and at the same time realize good value for their investment, in one of three ways: 1) Hire OpenSSL team members on an hourly consulting basis 2) Contract with the OSF for specific work-for-hire development on a fixed price basis 3) Purchase annual software support contracts All of these revenue sources indirectly support OpenSSL activities such as development of the FIPS module, but a support contract could be structured to do so directly and explicitly. Such customer(s) would then be assured that the validation would be available when needed and that it would be directly applicable to their intended use. Do you have a list of commercial vendors who use OpenSSL? A list of companies that use it internally (that would be nearly everyone who uses Linux, UNIX, *BSD, etc.)? That would be the basis of fundraising activity (I mean making phone calls, which is something nearly everyone can do). $150,000 is not an intimidating amount for anyone who's done fundraising. To my knowledge there are no companies of any significant size who do *not* use OpenSSL in some way -- including even some very large companies not thought to be much enamored of open source. Since we sign and respect non-disclosure agreements I not going to mention any names here, though I will note the commercial sponsors of past validations that wished to be so identified are referenced on the acknowledgments page of the respective Security Policy documents (some have elected to not be identified). I think $150,000 is a cost effective investment for a number of software vendors to make to assure the continued availability of a validated OpenSSL FIPS Object Module for their commercial applications. For most such companies that cost is going to be less than that for switching to a non-OpenSSL alternative, even if only one such company has to foot the entire bill. -Steve M. -- Steve Marquess The OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Post-2010 future of the OpenSSL FIPS Object Module?
Jason Schultz wrote: One point of confusion for me, I read this email to say the OpenSSL FIPS Object Module v1.2 will(may?) not be usable beyond 2010. But in the first discussion link, I read that to say that the v1.2 Module will not be suitable for "private label" validations(which require changes to FIPS module code and/or build process). A "private label" validation is one which takes the v1.2 source code and validates it under a different label with little or no source code changes (yes, some private label validations use the source code exactly as-is). It appears to be pretty certain that those private label validations will no longer be possible after 2010, because the reference v1.2 source code won't meet some of the new requirements. Is it accurate to say that using the FIPS module as described in the 2nd bullet here: http://openssl.org/docs/fips/fipsnotes.html, with no changes and building as described on your platform, that it can be used as a validated cryptographic module beyond 2010? The tradition for validated modules has generally been that once validated a module remains validated indefinitely. However, the wording of some of the CMVP transition documentation implies that may not be the case post-2010. I've heard that these transitional requirements, which are still officially in draft form, are generating some significant unfavorable feedback from industry. Changes or clarification are possible. So at this point I really don't what the validity of certificate #1051 will be after 2010. -Steve M. -- Steve Marquess The OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Post-2010 future of the OpenSSL FIPS Object Module?
On 2/19/2010 11:00 AM, Michael Sierchio wrote: > Steve Marquess wrote: >> In the three years since the open source based FIPS 140-2 validated >> OpenSSL FIPS Object Module became available many software vendors have >> directly or indirectly utilized it to realize substantial cost and >> schedule savings. We're glad to see the widespread benefits of these >> hard won validations > > Steve - > > Forgive my ignorance, but are you a 501(c)3? Can you communicate that > in a signature line so it's obvious? > > Do you have a list of commercial vendors who use OpenSSL? A list of > companies that use it internally (that would be nearly everyone who > uses Linux, UNIX, *BSD, etc.)? That would be the basis of fundraising > activity (I mean making phone calls, which is something nearly everyone > can do). $150,000 is not an intimidating amount for anyone who's done > fundraising. > > - M > The OpenSSL Foundation is *NOT* a 501(c)3. This is described at http://www.openssl.org/support/donations.html Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: Post-2010 future of the OpenSSL FIPS Object Module?
Steve Marquess wrote: > In the three years since the open source based FIPS 140-2 validated > OpenSSL FIPS Object Module became available many software vendors have > directly or indirectly utilized it to realize substantial cost and > schedule savings. We're glad to see the widespread benefits of these > hard won validations Steve - Forgive my ignorance, but are you a 501(c)3? Can you communicate that in a signature line so it's obvious? Do you have a list of commercial vendors who use OpenSSL? A list of companies that use it internally (that would be nearly everyone who uses Linux, UNIX, *BSD, etc.)? That would be the basis of fundraising activity (I mean making phone calls, which is something nearly everyone can do). $150,000 is not an intimidating amount for anyone who's done fundraising. - M -- Michael Sierchio __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Post-2010 future of the OpenSSL FIPS Object Module?
One point of confusion for me, I read this email to say the OpenSSL FIPS Object Module v1.2 will(may?) not be usable beyond 2010. But in the first discussion link, I read that to say that the v1.2 Module will not be suitable for "private label" validations(which require changes to FIPS module code and/or build process). Is it accurate to say that using the FIPS module as described in the 2nd bullet here: http://openssl.org/docs/fips/fipsnotes.html, with no changes and building as described on your platform, that it can be used as a validated cryptographic module beyond 2010? I beleive the above to be true, this email cast some doubt, however. Thanks. > Date: Thu, 18 Feb 2010 17:27:54 -0500 > From: marqu...@opensslfoundation.com > To: openssl-users@openssl.org > Subject: Post-2010 future of the OpenSSL FIPS Object Module? > > In the three years since the open source based FIPS 140-2 validated > OpenSSL FIPS Object Module became available many software vendors have > directly or indirectly utilized it to realize substantial cost and > schedule savings. We're glad to see the widespread benefits of these > hard won validations. > > Recently I've been contacted by many OpenSSL users and software vendors > concerned about upcoming changes announced by the CMVP (the government > agency responsible for FIPS 140-2 validations). Briefly stated, these > changes will mean that the current OpenSSl FIPS Object Module v1.2 may > not be usable beyond the current year (see > http://openssl.org/docs/fips/fipsnotes.html for some more discussion). > > Those concerns are not relieved when I respond that we have no plans at > present to pursue a new validation that would result in a OpenSSL FIPS > Object Module usable after 2010. However, that situation is due to a > lack of funding and not a lack of interest on our part. We will tackle > a new validation with enthusiasm at the first opportunity. > > The purpose of this open message is twofold: > > First, to note that we are actively soliciting sponsors for a post-2010 > FIPS 140-2 validation of the OpenSSL FIPS Object Module. We don't know > the precise cost for several reasons including the number of platforms > that would be covered, the degree of refactoring that would be > appropriate, or the resolution of several ambiguous areas in the draft > CMVP transition announcements. However, we're fairly comfortable that > the total cost would be in the range of US$50,000 to US$150,000. That's > a huge sum to us but a relatively modest amount for some major > corporations utilizing OpenSSL. > > Second, to note that I consider it highly probable that we will > eventually find funding for this effort, the real question is whether > that funding will materialize in time to obtain a new validation before > the current one becomes obsolete. The economics are simply too > compelling for any of a number of large software vendors that would > otherwise be faced with paying a comparable cost for commercial > proprietary licenses. One or more of these vendors will do the math > and, reluctantly, step forward to make it happen. The reluctance is > understandable because that vendor will effectively be carrying the > burden for the entire industry; that's one of the dilemmas of the open > source world. > > It would make more sense for multiple vendors to jointly sponsor the > cost. I encourage any potential sponsors to contact us with the amount > they would be willing to sponsor and the specific platforms they would > want included. We'll keep track of the total until we think we have > enough to launch a validation effort. then pull everyone together to > make it happen. > > As for timing, note that a six month timeframe to obtain a validation is > the most optimistic I would dare hope for. Nine or more months is more > realistic. One apparently uncomplicated validation we worked on took > thirteen months, and the very first open source based validation took > five years. It's not a speedy process and it can't be hurried once the > paperwork is submitted to the CMVP, and that's the stage that consumes > the most time. The sooner we can start the better. > > Thanks, > > -Steve M. > > -- > Steve Marquess > OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877-673-6775 > marqu...@opensslfoundation.com > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org
Post-2010 future of the OpenSSL FIPS Object Module?
In the three years since the open source based FIPS 140-2 validated OpenSSL FIPS Object Module became available many software vendors have directly or indirectly utilized it to realize substantial cost and schedule savings. We're glad to see the widespread benefits of these hard won validations. Recently I've been contacted by many OpenSSL users and software vendors concerned about upcoming changes announced by the CMVP (the government agency responsible for FIPS 140-2 validations). Briefly stated, these changes will mean that the current OpenSSl FIPS Object Module v1.2 may not be usable beyond the current year (see http://openssl.org/docs/fips/fipsnotes.html for some more discussion). Those concerns are not relieved when I respond that we have no plans at present to pursue a new validation that would result in a OpenSSL FIPS Object Module usable after 2010. However, that situation is due to a lack of funding and not a lack of interest on our part. We will tackle a new validation with enthusiasm at the first opportunity. The purpose of this open message is twofold: First, to note that we are actively soliciting sponsors for a post-2010 FIPS 140-2 validation of the OpenSSL FIPS Object Module. We don't know the precise cost for several reasons including the number of platforms that would be covered, the degree of refactoring that would be appropriate, or the resolution of several ambiguous areas in the draft CMVP transition announcements. However, we're fairly comfortable that the total cost would be in the range of US$50,000 to US$150,000. That's a huge sum to us but a relatively modest amount for some major corporations utilizing OpenSSL. Second, to note that I consider it highly probable that we will eventually find funding for this effort, the real question is whether that funding will materialize in time to obtain a new validation before the current one becomes obsolete. The economics are simply too compelling for any of a number of large software vendors that would otherwise be faced with paying a comparable cost for commercial proprietary licenses. One or more of these vendors will do the math and, reluctantly, step forward to make it happen. The reluctance is understandable because that vendor will effectively be carrying the burden for the entire industry; that's one of the dilemmas of the open source world. It would make more sense for multiple vendors to jointly sponsor the cost. I encourage any potential sponsors to contact us with the amount they would be willing to sponsor and the specific platforms they would want included. We'll keep track of the total until we think we have enough to launch a validation effort. then pull everyone together to make it happen. As for timing, note that a six month timeframe to obtain a validation is the most optimistic I would dare hope for. Nine or more months is more realistic. One apparently uncomplicated validation we worked on took thirteen months, and the very first open source based validation took five years. It's not a speedy process and it can't be hurried once the paperwork is submitted to the CMVP, and that's the stage that consumes the most time. The sooner we can start the better. Thanks, -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org