7;ve just received
feedback from the prospective user of our first "OpenSSL Sponsor" logo
and they chose this one:
http://opensslfoundation.com/testing/data/openssl-platinum-sponsor-logo.jpg
from JAaron Anderson.
Thanks to everyone who sent a logo. I was thrilled to have so many choic
The OpenSSL project recently received a donation of US$500 from Nick
Shapley on behalf of Pen Test Partners (http://www.pentestpartners.com/).
Thank you Nick and Pen Test Partners!
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1
with the initiative?
Nothing official yet, but I'm cautiously optimistic that we'll be able
to announce something in about a week.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
ma
supporting The OpenSSL Software Foundation."
Thank you Globalsign.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: htt
and
maintained. This donation is some pretty significant support :-)
Thank you Smartisan Technology, and Mr. Yonghao Luo.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu
rk of many years should not go
unnoticed and unrecognised. Please accept our thanks as you have saved
us a lot of time and money."
A platinum sponsorship is a truly excellent way to say thanks :-)
Thank you Huawei!
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ep
On 05/28/2014 05:18 PM, Frans de Boer wrote:
> On 05/28/2014 10:05 PM, Steve Marquess wrote:
>> Please accept our thanks as you have saved
>> us a lot of time and money
>
> Yes, quite an understatement :\
>
> Now a state sponsored company is sponsoring openssl.org? Th
iple issues and revitalize OpenSSL. I hope
we'll have some detailed plans to share publicly in a week or two.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marq
On 05/29/2014 11:39 AM, Steve Marquess wrote:
> I am very pleased to announce that the Linux Foundation Core
> Infrastructure Initiative (CII),
> http://www.linuxfoundation.org/programs/core-infrastructure-initiative,
> has extended full time fellowships to Stephen Henson and An
ustainable funding of this sort is especially useful as it allows for
long range planning. In the aggregate such sustainable funding will
allow us to embark on major long term objectives.
Thank you Milton Security Group and Jim McMurry!
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
some sort of coherence.
In the meantime we greatly appreciate the patience and support shown by
so many of you in the OpenSSL community.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 di
^11+2^8 dollars ($2,304).
Thank you Victor and VT Enterprise!
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http
I am pleased to announce the addition of Emilia Kasper to the OpenSSL
team (see https://www.openssl.org/about/).
This brings us up to twelve active team members and adds some strong
cryptographic skills.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
I am pleased to announce the addition of Rich Salz and Kurt Roeckx to
the OpenSSL team (see
https://www.openssl.org/about/).
They both bring a long record of past contributions.
This brings the count up to fourteen.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount
ed to retroactively remove Dual EC DRBG from that as well. If
that approval is not given we'll be in the odd position of
re-introducing Dual EC DRBG with revision 2.0.7 when that is eventually
approved.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Ada
it's taken a long time to get to this point, but
that's not for lack of vigorous activity on the part of the team. We're
keenly aware that we have a long haul ahead of us and wanted to be sure
we started off in the right direction with the right objectives.
-Steve M.
--
Steve Ma
weeks poll. The most voted project is awarded a
donation (https://airvpn.org/topic/10122-guidelines). The OpenSSL
project was the top contender for all the proposed May projects with a
poll held in June.
Thank you AirVPN, and AirVPN community!
-Steve M.
--
Steve Marquess
OpenSSL Software
d validated implementations of kernel crypto as used by the kernel
itself and by protocols like IPsec. So you really need to let your
marketing and senior management folks make the call.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
US
e OpenSSL FIPS Object Module v2.0)
is no longer usable as-is for copycat validations.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg
enSSL doesn't do better, faster,
more securely). A new validation will be necessary. You will find such a
validation a significant challenge even without the source code mods you
contemplate.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD
MVP web site still points to the 2.0.6 revision of
that document. That error has been reported and should be corrected in a
few days.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opens
her newer patches may be available elsewhere.
Also note than in a U.S. DoD context you'll probably need x.509 support
as well (this is available in patches from Roumen Petrov).
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1
icated" platforms our cost for adding that platform to the
#1747 validation is typically US$15,000 (sometimes less for current
clients or multiple platforms done at once). Anything running Linux
*probably* qualifies as "uncomplicated".
If you can afford to wait long enough t
will
support TLS 1.2 and (if properly built) contain a FIPS 140-2 validated
cryptographic module.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu..
On 09/01/2014 06:55 AM, Gayathri Manoj wrote:
> Hi All,
>
> Please let me know how can I see the FIPS certificate for
> openssl-fips-1.2.4.
>
> Thanks,
> Gayathri
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1051
-Steve M.
--
Steve Marquess
OpenSS
unless you feel removal of Dual EC DRBG warrants such an upgrade.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http
Akamai in particular.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D
ope to see 2.0.9 out sometime
in mid February.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl
several stakeholders and
interested parties, that the mere presence of latent Dual EC DRBG code
is a potential problem. I have discussed that issue in a personal blog
entry:
http://veridicalsystems.com/blog/immutability-of-fips/
for those who care to stare into that abyss.
-Steve M.
--
Steve
uot;SPP") and
would be willing to do a little hand-holding then please drop me a line.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundat
We've been experiencing some issues with the system that handles
@openssl.org E-mail and the mailing lists. The hardware vendor will be
swapping the system board Tuesday Dec. 23 beginning at 1200UTC. The
outage is expected to take approximately two hours.
-Steve M.
--
Steve Marquess
Op
prospects.
Thank you Smartisan Technology, and CEO Mr. Yonghao Luo. I hope that in
roughly a year from now with the release of OpenSSL 1.1 you will be
pleased with what we have accomplished.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
evelopment it's
preferable to use the latest revision as that will be valid for all
tested platforms.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marq
it around
would be a bit of an issue. I have enough trouble with declarations and
import duties for computer gear; I have no idea what's involved with
recuperative beverages.
But I volunteer to drink it and tell my colleagues how good it was :-)
-Steve M.
--
Steve Marquess
OpenSSL Softwar
that module would not have been possible.
Thank you Oracle!
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation Inc.
20-22 Wenlock Road
London N1 7GU
United Kingdom
+44 1785508015
+1 301 874 2571 direct
marqu...@opensslfoundation.org
ste...@openssl.org
sually triggered by /proc/sys/crypto/fips_enabled
> containing "1" or the environment variable OPENSSL_FORCE_FIPS_MODE=1
> (at least for the certs done by SUSE and Redhat, which do not use the
> container blob).
That is (presumably) true for the proprietary RH and SUSE distros; not
so fo
nd your application will automatically be using the
embedded FIPS module (with
non-approved crypto operations disabled).
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu
ally tested platforms:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
On 01/26/2015 06:21 PM, jone...@teksavvy.com wrote:
> On Fri, 16 Jan 2015 10:16:48 -0500
> Steve Marquess wrote:
>
>> On 01/15/2015 05:52 AM, Marcus Meissner wrote:
>
>>> On Linux usually triggered by /proc/sys/crypto/fips_enabled
>>> contai
On 01/27/2015 11:09 AM, jonetsu wrote:
> "Steve Marquess" wrote on 01/27/15 09:18: Thank
> you (and Tom) for your comments - much appreciated.
>
>> Tom Francis nailed the answer to this one. We did design the FIPS
>> module + "FIPS capable" OpenSSL com
all those commercial vendors selling to the USG and DoD;
speculative code that would make it easier for vendors like you to
pursue private proprietary validations would be of interest to a far
smaller subset. We have enough demands on our limited resources as it is
to expend them on such a limite
less and
there is no reason to use it (unless you want to pay and wait for your
own custom validation of the modified code).
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfo
e of those tautological tests *does* fail, then you have worse
problems than a non-functioning FIPS module.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.c
my list... a long list unfortunately. At the moment any spare
time I have available for FIPS issues is spent addressing yet another
existential threat to the open source based validations.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
On 02/24/2015 10:26 PM, Tom Francis wrote:
> ...
>
> Steve Marquess: Is the document (which IIRC, you published back
> before the first validation) on how/why the FIPS Object Module was
> coded still available somewhere? If so, that’d probably be a good
> starting point f
lidation), this is the time to speak up.
Feel free to contact me directly for specific suggestions or to
coordinate with other stakeholders.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
der each distinct
brand name and version of hypervisor environment. So for instance
Ubuntu 14.04 64bit on Intel Xeon E3-1220 under Vmware ESXi 5.1
is a different "platform" from
Ubuntu 14.04 64bit on Intel Xeon E3-1220 under Vmware ESXi 5.5
I've left out a number of kno
enting the addition of new platforms.
If new platforms cannot be added to those hard-won validations, the
overall utility to the end user community is greatly reduced. Even
worse, the pursuit of new validations becomes economically infeasible.
I'm open to suggestions on improving that web page
t I've found that the platform sponsors are usually delighted to
have the option of paying themselves for a platform validation now
rather than waiting indefinitely. Those sponsors usually have pending
sales that easily justify the platform validation costs.
The hard part has always been funding
ion, e.g.:
gunzip -c openssl-fips-2.0.9.tar.gz | tar xf -
cd openssl-fips-2.0.9
./config
make
make install
exactly as documented.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
m
vel 2 or 3
validation of a turnkey system including OS and apps.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@
http://openssl.com/testing/validation-2.0/docs/NSA-PLA.pdf
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@o
emain available (that's the big win).
Compliance paperwork will require some careful attention to the multiple
validations which will overlap the same module (the downside). Confusion
is inevitable, feel free to post questions to this list.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, In
ty Policy
document:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf
which is worth referencing for any "does the OpenSSL FIPS Object Module
have X" questions.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown,
d from the formal standards and also from the OpenSSL FIPS
Object Module).
Now the code for the OpenSSL FIPS module can no longer be used as-is for
new "private label" or copycat validations, but that's for different
reasons and not because of the DRBGs.
-Steve M.
--
Steve Marq
validation) at the first opportunity, but that opportunity
has not yet presented itself.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
ma
On 03/24/2015 01:27 PM, jonetsu wrote:
>
>
>> From: "Steve Marquess" Date: 03/24/15 12:38
>>
>
>
>> No, the OpenSSL FIPS module 2.0 code is no longer suitable (as of
>> early 2014) for use as-is in doing copycat validations. Some
>> non-tr
umentation/ as per 3.18.2. - thanks.
I wasn't aware the Linux kernel (the real one, not proprietary
commercial derivatives) had a "FIPS" mode. Please enlighten me.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 67
On 03/25/2015 06:26 PM, jone...@teksavvy.com wrote:
> On Wed, 25 Mar 2015 17:03:04 -0400
> Steve Marquess wrote:
>
>> I wasn't aware the Linux kernel (the real one, not proprietary
>> commercial derivatives) had a "FIPS" mode. Please enlighten me.
>
>
fossilized
code that would always be a painfully awkward fit in the Linux
ecosystem. We'd still consider tackling that, with financial
sponsorship, but we have no prospects for such.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 2171
f the only open
source based FIPS 140-2 validations that have ever been done I can tell
you that those are *much* harder.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
m
On 03/26/2015 01:41 PM, Jakob Bohm wrote:
> On 26/03/2015 16:56, Steve Marquess wrote:
>> On 03/26/2015 11:30 AM, John Foley wrote:
>>> We looked at this very briefly a couple of years ago. In theory, there
>>> may be a way to achieve the goal as a loadable kernel modul
On 03/27/2015 04:45 AM, Henrik Grindal Bakken wrote:
> Steve Marquess
> writes:
>
>>> If the CMVP bureaucracy insists on a specific kernel version
>>> for the platform number, this should be one of the "Long Term
>>> Support" kernel releases to ma
OpenSSL FIPS will be supported on Linux-aarch64?
When we have a sponsor to cover the non-trivial costs of a "platform"
validation.
We're working on some iOS and Android ARMv8 platforms, but have nothing
planned for Linux on ARMv8.
-Steve M.
--
Steve Marquess
OpenSSL Software Foun
n a substantial amount of labor.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http://
uot;better
understand/review" the existing code. The code itself is open source, so
as Obi-Wan said, "use the source, Luke".
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
are components of your product. FIPS
140-2 is the tail that wags the dog.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@open
eep in mind that at Level 1 the validation
applies to the cryptographic module, not the calling application that
uses that module nor the operating system that runs it.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
On 04/14/2015 09:42 AM, jonetsu wrote:
>
>
>> From: "Steve Marquess" Date: 04/14/15 09:31
>>
>
>> and note that of the 101 platforms ("OEs") appearing there, most
>> of those operating systems are neither CC certified nor have any
>&
exception to that rule is "user affirmation" per I.G. G.5, but
while technically a legitimate means of satisfying FISP 140-2 validation
requirements that has limited practical value in the USG/DoD market.
Note I'm only discussing Level 1 validations here; Levels 2 and
them to particular hypervisor versions
they would have chosen the latter. Instead they were forced to choose
between preserving their platforms and adding new platforms, which led
us down the "ransom" path and months of delay...
-Steve M.
[*] See http://openssl.com/fips/hostage.html,
t the CMVP will eventually
correct. Also, I expect to receive permission from at least some of the
directly impacted platform sponsors to supply information for revised
platform descriptions. Once those are up, then you can panic.
New developments will be noted in this new web page.
-Steve
ve M.
[*] retroactive requirements changes imposed on in-process validation
actions have long been common, and are part of the challenge of
completing any validation action with any kind of predictable budget or
schedule. The imposition of retroactive changes on previously approved
validations is a
don't know about.
If you are a such a stakeholder and would like to participate in those
discussions please let me know (contact info below) and I'll make the
appropriate introductions.
-Steve M.
[*] see http://openssl.com/fips/aftermath.html
--
Steve Marquess
OpenSSL Software Found
r, but we won't know for sure until we get some
sort of response.
-Steve M.
[*] http://openssl.com/fips/ransom.html
[**] http://openssl.com/fips/hostage.html
[***] http://openssl.com/fips/aftermath.html
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
on for
a product that contains the OpenSSL FIPS Object Module. Yes, the fact
that the OpenSSL FIPS module already has a Level 1 validation can help.
But, FIPS 140-2 is a tricky business so you should consult with your
accredited FIPS 140-2 test lab for advice specific to your unique
circumstances.
-St
he Big Blob presumably works in your favor. But,
platform 8 is unambiguously "MIA" (Missing in Action) so any use of the
OpenSSL FIPS module on that platform, Ubuntu 10.04 on x86, is officially
non-validated.
-Steve M.
[*] http://openssl.com/fips/aftermath.html
--
Steve Marquess
Ope
he known
good one above.
Also note that if you're trying for a new validation (which is the only
reason I can think of for attempting to do algorithm tests) you're in
for a painful surprise; some non-trivial code hacking will be necessary
to meet new requirements imposed since the #1747 v
ill; in the past change letter
approvals have taken as long as six months.
That connection makes no sense at all to me, but it's not the first time
I've been completely befuddled.
-Steve M.
[1] https://mta.openssl.org/pipermail/openssl-users/2015-July/001706.html
[2] http://openssl.c
e" calculation a bit.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
marqu...@opensslfoundation.net
gpg/pgp key: http://openss
ms to the #2398
validation. We'll have to wait to see if any more surprises are in
store. For now we are continuing to write change letter platform
validation contracts, but with yet more caveats as the risk factors seem
to keep rising.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundati
her; do a "s/SE/RE/g" substitution to
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2398.pdf
and you have the other validation.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 d
runtime options; the typical httpd binary
install won't have FIPS support.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http
ents for FIPS 140-2 and x.509,
or with various homegrown vendor hacks that probably introduce still
more vulnerabilities. I've long felt there would be a market for a "U.S.
government compliant" version of OpenSSH, but if that's ever done it
won't be by the OpenSSH maintainers
DoD clients, and I'm sure I wasn't the
only one. There are also a handful of commercial knockoffs of OpenSSH
supposedly adapted for DoD compliance, though I've been out of that
arena long enough to no longer recall their names.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundati
for your proprietary
OpenSSL based "private label" validation.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@ope
on.
IMHO there isn't much point in accepting and committing speculative
code, i.e. code that we can't actually use in OpenSSL.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@op
On 09/23/2015 07:09 AM, Steve Marquess wrote:
> On 09/22/2015 07:26 PM, John Foley (foleyj) wrote:
>> Pull request 368 has KDF support for FIPS:
>> https://github.com/openssl/openssl/pull/368
>>
>>
>> I've already updated libsrtp to use this API for FIPS comp
On 09/28/2015 09:13 AM, John Foley wrote:
> On 09/23/2015 08:16 AM, Steve Marquess wrote:
>> John, let me elaborate on my comment above by noting that the Cisco
>> contribution includes a bunch of FIPS specific code for which there is
>> no counterpart on the master branch (i.
compete open source FIPS module themselves, and deal
with the inevitable onslaught of requests for support. I get those
almost daily, usually in the form of "we're trying to do our own
validation and need a little help...".
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc
vision.
>
> Interesting, I wonder if those plans include my previously
> posted ideas:
> ...
There are some issues with those ideas, but now is not the time to get
into details. We'll worry about it if and when we have an opportunity to
do a new open source based validation.
-Steve M.
-
On 09/30/2015 09:58 AM, Jakob Bohm wrote:
> On 30/09/2015 15:34, Steve Marquess wrote:
>> On 09/30/2015 09:18 AM, Jakob Bohm wrote:
>>> ...
>>>
>>> Under the new "contribution agreement" scheme, publishing such items
>>> early would also ma
ject Module validation(s) you can clone it yourself (via
what is known as an "alternative Scenario 1A/1B" or "re-brand"
validation). At one point the CMVP appeared to be actively encouraging
those "re-brand" validations, and now it appears they may be
discouragin
requirements of FIPS 140-2).
Also note that converting stock OpenSSH to exclusive use of FIPS
validated cryptographic is a non-trivial exercise.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direc
On 10/21/2015 03:22 PM, jonetsu wrote:
>> From: "Steve Marquess"
>> Date: 10/21/15 14:18
>> See Appendix B of the OpenSSL FIPS User Guide:
>
>> https://openssl.org/docs/fips/UserGuide-2.0.pdf
>
> Thanks.
>
>> The specific algorithm te
S Object Module User Guide,
http://www.openssl.org/docs/fips/UserGuide.pdf
Again, you really need to seek appropriate legal counsel and should not
make any decisions based on any comments by OSF or OpenSSL.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD
cess
> as long as infinite recursion is avoided, preferably
> through the choice of server certificates.
There are environments where https must be used for OCSP, due to policy
fiat and/or firewall restrictions.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim
's an open
ended gamble: submit, hope, wait, ...
-Steve M.
[1] See http://veridicalsystems.com/blog/the-fickleness-of-fips/; note
that dual submission did pay off for that client.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6
end any money to us; if you're interested in covering this cost
I'll put you directly in touch with the test lab to work out specific
payment arrangements.
Thanks,
-Steve M.
[1] See "X9.31 RNG transition, December 31, 2015" at
http://csrc.nist.gov/groups/STM/cmvp/notices
On 12/02/2015 11:16 AM, Steve Marquess wrote:
> If you don't know or care what FIPS 140-2 is, be very glad this isn't > your
> problem and turn your charitable attentions to some worthy >
cause. > > The CMVP has introduced a new policy that will result in the
>
201 - 300 of 422 matches
Mail list logo
