Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-15 Thread Thor Lancelot Simon
On Mon, Sep 15, 2003 at 12:57:55PM -0400, Wei Dai wrote: I think I may have found such a written guidance myself. It's guidance G.5, dated 8/6/2003, in the latest Implementation Guidance for FIPS 140-2 on NIST's web site: http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf. This section

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-09 Thread Peter Gutmann
Rich Salz [EMAIL PROTECTED] writes: Sure, that's why it's *the first.* They have never done this before, and it is very different to how they (or their Ft Meade experts) have done things before. I suppose one could argue that they're doing this for Level 1 to increase the industry demand for

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-08 Thread Tolga Acar
On a second thought, that there is no key management algorithm certified, how would one set up a SSL connection in FIPS mode? It seems to me that, it is not possible to have a FIPS 140 certified SSL/TLS session using the OpenSSL's certification. - Tolga

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-08 Thread Thor Lancelot Simon
On Mon, Sep 08, 2003 at 10:49:02AM -0600, Tolga Acar wrote: On a second thought, that there is no key management algorithm certified, how would one set up a SSL connection in FIPS mode? It seems to me that, it is not possible to have a FIPS 140 certified SSL/TLS session using the OpenSSL's

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Wei Dai
On Fri, Sep 05, 2003 at 04:15:22PM -0400, Anton Stiglic wrote: You are correct, I just saw Crypto++ in the list of FIPS 140 validated modules: http://csrc.nist.gov/cryptval/140-1/140val-all.htm It is the latest entry, added today. Congratulations to Wei Dai! Thanks! Also thanks to Groove

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Tolga Acar
Joshua Hill wrote: On Fri, Sep 05, 2003 at 04:05:07PM -0400, Rich Salz wrote: It is the first *source code* certification. The ability to do this runs counter to my understanding of FIPS 140-2. . and to experiences with the previous FIPS 140-1 certifications I was involved in, including

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Joshua Hill
On Fri, Sep 05, 2003 at 06:02:10PM -0400, Wei Dai wrote: In fact they wouldn't even validate Crypto++ as a static library despite an earlier verbal agreement that a static library was ok. It had to be turned into a DLL at the last moment (i.e. during the review phase). That's unfortunate.

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Rich Salz
On Fri, Sep 05, 2003 at 04:05:07PM -0400, Rich Salz wrote: It is the first *source code* certification. The ability to do this runs counter to my understanding of FIPS 140-2. Sure, that's why it's *the first.* They have never done this before, and it is very different to how they (or their

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Ben Laurie
Joshua Hill wrote: On Fri, Sep 05, 2003 at 06:02:10PM -0400, Wei Dai wrote: In fact they wouldn't even validate Crypto++ as a static library despite an earlier verbal agreement that a static library was ok. It had to be turned into a DLL at the last moment (i.e. during the review phase).

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Ben Laurie
Wei Dai wrote: On Fri, Sep 05, 2003 at 04:15:22PM -0400, Anton Stiglic wrote: You are correct, I just saw Crypto++ in the list of FIPS 140 validated modules: http://csrc.nist.gov/cryptval/140-1/140val-all.htm It is the latest entry, added today. Congratulations to Wei Dai! Thanks! Also

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-05 Thread Anton Stiglic
Really exiting news. If I'm not mistaken, this would be the first free, open-source, crypto library that has FIPS 140 module certification! Other free open-source libraries have algorithms that have been FIPS 140 certified, but the whole module hasn't been certified (exemple Cryptlib and

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-05 Thread Joshua Hill
On Fri, Sep 05, 2003 at 01:32:21PM -0400, Anton Stiglic wrote: If I'm not mistaken, this would be the first free, open-source, crypto library that has FIPS 140 module certification! I believe that this is incorrect. The two open-source projects that I'm aware of that have FIPS 140 certs