Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-15 Thread Thor Lancelot Simon
On Mon, Sep 15, 2003 at 12:57:55PM -0400, Wei Dai wrote: I think I may have found such a written guidance myself. It's guidance G.5, dated 8/6/2003, in the latest Implementation Guidance for FIPS 140-2 on NIST's web site: http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf. This section

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-09 Thread Peter Gutmann
Rich Salz [EMAIL PROTECTED] writes: Sure, that's why it's *the first.* They have never done this before, and it is very different to how they (or their Ft Meade experts) have done things before. I suppose one could argue that they're doing this for Level 1 to increase the industry demand for

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-08 Thread Tolga Acar
On a second thought, that there is no key management algorithm certified, how would one set up a SSL connection in FIPS mode? It seems to me that, it is not possible to have a FIPS 140 certified SSL/TLS session using the OpenSSL's certification. - Tolga

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-08 Thread Thor Lancelot Simon
On Mon, Sep 08, 2003 at 10:49:02AM -0600, Tolga Acar wrote: On a second thought, that there is no key management algorithm certified, how would one set up a SSL connection in FIPS mode? It seems to me that, it is not possible to have a FIPS 140 certified SSL/TLS session using the OpenSSL's

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Wei Dai
On Fri, Sep 05, 2003 at 04:15:22PM -0400, Anton Stiglic wrote: You are correct, I just saw Crypto++ in the list of FIPS 140 validated modules: http://csrc.nist.gov/cryptval/140-1/140val-all.htm It is the latest entry, added today. Congratulations to Wei Dai! Thanks! Also thanks to Groove

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Tolga Acar
Joshua Hill wrote: On Fri, Sep 05, 2003 at 04:05:07PM -0400, Rich Salz wrote: It is the first *source code* certification. The ability to do this runs counter to my understanding of FIPS 140-2. . and to experiences with the previous FIPS 140-1 certifications I was involved in, including

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Joshua Hill
On Fri, Sep 05, 2003 at 06:02:10PM -0400, Wei Dai wrote: In fact they wouldn't even validate Crypto++ as a static library despite an earlier verbal agreement that a static library was ok. It had to be turned into a DLL at the last moment (i.e. during the review phase). That's unfortunate.

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Rich Salz
On Fri, Sep 05, 2003 at 04:05:07PM -0400, Rich Salz wrote: It is the first *source code* certification. The ability to do this runs counter to my understanding of FIPS 140-2. Sure, that's why it's *the first.* They have never done this before, and it is very different to how they (or their

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Ben Laurie
Joshua Hill wrote: On Fri, Sep 05, 2003 at 06:02:10PM -0400, Wei Dai wrote: In fact they wouldn't even validate Crypto++ as a static library despite an earlier verbal agreement that a static library was ok. It had to be turned into a DLL at the last moment (i.e. during the review phase).

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Ben Laurie
Wei Dai wrote: On Fri, Sep 05, 2003 at 04:15:22PM -0400, Anton Stiglic wrote: You are correct, I just saw Crypto++ in the list of FIPS 140 validated modules: http://csrc.nist.gov/cryptval/140-1/140val-all.htm It is the latest entry, added today. Congratulations to Wei Dai! Thanks! Also

OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-05 Thread Rich Salz
This is termendously exciting. For the first time ever, NIST will be certifying a FIPS 140 implementation based on the source code. As long as the pedigree of the source is tracked, and checked at run-time, then applications can claim FIPS certification. For details:

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-05 Thread Anton Stiglic
++). And OpenSSL crypto module runs on all kinds of platforms. Really nice! --Anton - Original Message - From: Rich Salz [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, September 05, 2003 10:50 AM Subject: OpenSSL *source* to get FIPS 140-2 Level 1 certification

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-05 Thread Joshua Hill
On Fri, Sep 05, 2003 at 01:32:21PM -0400, Anton Stiglic wrote: If I'm not mistaken, this would be the first free, open-source, crypto library that has FIPS 140 module certification! I believe that this is incorrect. The two open-source projects that I'm aware of that have FIPS 140 certs