date:20160819

Re: [openssl-users] Reasons to go from 2.0.9 FOM to 2.0.12 ?

2016-08-19 Thread Steve Marquess

On 08/19/2016 12:43 PM, jonetsu wrote:
> Hello,
> 
> We are using FOM 2.0.9 for an embedded product that will go for FIPS
> validation.  Validation of the full product, that is.  All
> development so far is with 2.0.9.  What would be the reasons, if any,
> to update to 2.0.12 before going to the lab ?
> 
> Thanks - comments much appreciated.
> 
> 
> 

No reason at all, if 2.0.9 works for you as-is and you're getting your
own validation.

Unlike the usual case for software, where continual improvements and
bugfixes are routinely implemented, we're not allowed to do bugfixes or
refinements (not even security vulnerability mitigations) for validated
modules. So later revisions of the OpenSSL FIPS Object Module are not
"better" in any meaningful way as you'd normally assume. The only
difference between revisions[*] is the addition of platform specific
portability mods. As part of the validation process we have to
demonstrate that the revision mods can't have any effect on any
previously tested platforms.

On the other hand, since there are no substantive differences between
2.0.9 and 2.0.13, and since you're apparently going to the expense and
trouble of obtaining a copycat validation, there's no reason for you
*not* to use 2.0.13. That way you'd potentially have coverage for more
platforms.

-Steve M.

[*] Removal of Dual EC DRBG -- arguably a vulnerability mitigation -- at
revisions 2.0.6 and 2.0.8 is a singular exception to that rule.

-- 
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Reasons to go from 2.0.9 FOM to 2.0.12 ?

2016-08-19 Thread jonetsu

Hello,

We are using FOM 2.0.9 for an embedded product that will go for FIPS 
validation.  Validation of the full product, that is.  All development so far 
is with 2.0.9.  What would be the reasons, if any, to update to 2.0.12 before 
going to the lab ?

Thanks - comments much appreciated.



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL FOM 2.0.12 - Windows Compliance

2016-08-19 Thread Steve Marquess

On 08/19/2016 07:20 AM, Imran Ali wrote:
> Hi Guys,
> 
>  
> 
> I need some help. I am looking for some evidence which I can provide to
> my auditor for FOM 2.0.12 is FIPS-140 compliance when compiled and used
> in Windows environment. When I look at the NIST web site under
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747
> I cannot see 2.0.12 version.
> 
>  
> 
> Is there something I am missing?

Yes, it's rather confusing.

The one and only OpenSSL FIPS module ("OpenSSL FIPS Object Module 2.0")
is -- for perverse bureaucratic reasons[*] -- covered by three
separate[**] FIPS-140 validations:

  #1747 (revisions 2.0, 2.0.1, ..., 2.0.10)
  #2389 (revisions 2.0.9, ..., 2.0.13)
  #2473 (revisions 2.0.9, 2.0.10)

As always the latest revision (for a given validation) subsumes all
tested platforms listed for that validation. So for instance, 2.0.13 can
be used for all 33 platforms currently listed for validation #2398.
There are about 200 distinct platforms now across all validations.

So you need to look at the listed platforms for all validations[**], and
find which of them cover your platform (possibly more than one). Then
use the latest revision of the module for that validation.

If you only find your platform(s) of interest on a validation ending at
revision 2.0.10 (#1747, #2473), then you're forced to use revision
2.0.10 even though 2.0.13 (and future revisions) are completely backward
compatible. From a technical perspective 2.0.N is completely
functionally equivalent to all previous revisions < N, but down in the
FIPS-140 rabbit hole you're limited to the latest revision for the
relevant validation(s)[***].

The easy way to remember it is "one real-world module, multiple
FIPS-land validations". Or as one of my colleagues would put it,
"...multiple flavors of FIPS-140 magical pixie dust". The choice of
validation certificate number is a paper-chase exercise.

-Steve M.

[*] Obscenely perverse, I'm not even going to try and explain it. In
fact IMHO no rational explanation is possible.

[**] Technically speaking more than three; validations #2391, #2422,
#2454, #2575, #2631, #2676, and possibly others are "copycat" clones
done by third parties that introduce yet more platforms. Since these
validations are for the same OpenSSL FIPS module they are also
accessible to all under the OpenSSL license.

[***] OTOH note the later revisions aren't "better" than the earlier
ones in any meaningful sense, as we're not allowed to do feature
enhancements or bug-fixes (not even vulnerability mitigations). With
most software it's prudent to always use the latest revision to pick up
bugfixes and refinements; for the FIPS module it doesn't matter.

-- 
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL FOM 2.0.12 - Windows Compliance

2016-08-19 Thread Imran Ali

Hi Guys,

I need some help. I am looking for some evidence which I can provide to my 
auditor for FOM 2.0.12 is FIPS-140 compliance when compiled and used in Windows 
environment. When I look at the NIST web site under 
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747 I 
cannot see 2.0.12 version.

Is there something I am missing?


Regards,

Imran Ali

Engineering Product Lead

[cid:image001.gif@01CE15D3.C9808950]

t: +44 (0) 118 943 0485

m: +44 (0) 780 113 7865

w: www.enghouseinteractive.com

e: imran@enghouse.com

[cid:image002.gif@01CE15D3.C9808950]
Enghouse Interactive (UK) Ltd is a company registered in England and Wales. 
Registered number: 04230977. Registered office: Imperium, Imperial Way, 
Reading, Berkshire, RG2 0TD.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Reasons to go from 2.0.9 FOM to 2.0.12 ?

[openssl-users] Reasons to go from 2.0.9 FOM to 2.0.12 ?

Re: [openssl-users] OpenSSL FOM 2.0.12 - Windows Compliance

[openssl-users] OpenSSL FOM 2.0.12 - Windows Compliance

4 matches

Site Navigation

Mail list logo

Footer information