>> They would have to get their own validation, their own lab to verify,
etc., etc.
> That seems to contradict the other answer, which is that legally, the
> FIPS cannister (properly built) can be used with any software outside
> the cryptographic boundary, the soon-to-be-deprecated OpenSSL 1.0.2
> library just being the normal default.
You are correct. My statement, which was technically incorrect, is more likely
to be realistic :)
> The point is that some people may soon be in a desperate need to find a
FIPS-capable replacement for OpenSSL 1.0.x.
It seems to me that the easiest thing to do is maintain that release of OpenSSL
by themselves.
If someone is thinking of fitting OpenSSL 1.1.x to become a user of the
existing FOM, then they will probably find it easier to, well, just maintain
what currently works.
Just because something is past "end of life" does not mean that anyone's
ability to use it is revoked. It just means that keeping it working is their
responsibility. Anyone can use the FOM until it expires (sunsets is the term
used), which lasts one year beyond 1.0.2 as I recall. See
https://www.openssl.org/blog/blog/2018/05/18/new-lts/ for some more information
on this.
