taken as long as six months.
That connection makes no sense at all to me, but it's not the first time
I've been completely befuddled.
-Steve M.
[1] https://mta.openssl.org/pipermail/openssl-users/2015-July/001706.html
[2] http://openssl.com/fips/aftermath.html
--
Steve Marquess
OpenSSL Software
of for attempting to do algorithm tests) you're in
for a painful surprise; some non-trivial code hacking will be necessary
to meet new requirements imposed since the #1747 validation was obtained.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
ts of FIPS 140-2).
Also note that converting stock OpenSSH to exclusive use of FIPS
validated cryptographic is a non-trivial exercise.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...
User Guide,
http://www.openssl.org/docs/fips/UserGuide.pdf
Again, you really need to seek appropriate legal counsel and should not
make any decisions based on any comments by OSF or OpenSSL.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1
> as long as infinite recursion is avoided, preferably
> through the choice of server certificates.
There are environments where https must be used for OCSP, due to policy
fiat and/or firewall restrictions.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
ait, ...
-Steve M.
[1] See http://veridicalsystems.com/blog/the-fickleness-of-fips/; note
that dual submission did pay off for that client.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opens
can clone it yourself (via
what is known as an "alternative Scenario 1A/1B" or "re-brand"
validation). At one point the CMVP appeared to be actively encouraging
those "re-brand" validations, and now it appears they may be
discouraging them but as always it's hard
of the
OpenSSL FIPS module on that platform, Ubuntu 10.04 on x86, is officially
non-validated.
-Steve M.
[*] http://openssl.com/fips/aftermath.html
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu
" substitution to
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2398.pdf
and you have the other validation.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfou
e" calculation a bit.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
marqu...@opensslfoundation.net
gpg/pgp key: http://openss
ave to wait to see if any more surprises are in
store. For now we are continuing to write change letter platform
validation contracts, but with yet more caveats as the risk factors seem
to keep rising.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamsto
s; the typical httpd binary
install won't have FIPS support.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/
te open source FIPS module themselves, and deal
with the inevitable onslaught of requests for support. I get those
almost daily, usually in the form of "we're trying to do our own
validation and need a little help...".
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mou
On 09/28/2015 09:13 AM, John Foley wrote:
> On 09/23/2015 08:16 AM, Steve Marquess wrote:
>> John, let me elaborate on my comment above by noting that the Cisco
>> contribution includes a bunch of FIPS specific code for which there is
>> no counterpart on the master branch
On 09/30/2015 09:58 AM, Jakob Bohm wrote:
> On 30/09/2015 15:34, Steve Marquess wrote:
>> On 09/30/2015 09:18 AM, Jakob Bohm wrote:
>>> ...
>>>
>>> Under the new "contribution agreement" scheme, publishing such items
>>> early would also ma
O there isn't much point in accepting and committing speculative
code, i.e. code that we can't actually use in OpenSSL.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
On 09/23/2015 07:09 AM, Steve Marquess wrote:
> On 09/22/2015 07:26 PM, John Foley (foleyj) wrote:
>> Pull request 368 has KDF support for FIPS:
>> https://github.com/openssl/openssl/pull/368
>>
>>
>> I've already updated libsrtp to use this API for FIPS complianc
y
OpenSSL based "private label" validation.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key
.509,
or with various homegrown vendor hacks that probably introduce still
more vulnerabilities. I've long felt there would be a market for a "U.S.
government compliant" version of OpenSSH, but if that's ever done it
won't be by the OpenSSH maintainers.
-Steve M.
--
Steve Marquess
OpenSSL
s, and I'm sure I wasn't the
only one. There are also a handful of commercial knockoffs of OpenSSH
supposedly adapted for DoD compliance, though I've been out of that
arena long enough to no longer recall their names.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephra
covering this cost
I'll put you directly in touch with the test lab to work out specific
payment arrangements.
Thanks,
-Steve M.
[1] See "X9.31 RNG transition, December 31, 2015" at
http://csrc.nist.gov/groups/STM/cmvp/notices.html
[2] http://openssl.com/fips/ransom.html
--
Ste
On 12/02/2015 11:16 AM, Steve Marquess wrote:
> If you don't know or care what FIPS 140-2 is, be very glad this isn't > your
> problem and turn your charitable attentions to some worthy >
cause. > > The CMVP has introduced a new policy that will result in the
> effectiv
ll also note that sorting out the algorithm tests will be relatively
trivial compared to hacking the OpenSSL FIPS Object Module v2.0 code to
meet all the new requirements that have accumulated since that
validation was obtained. You'll want to do those mods before the
algorithm testing.
-Steve M.
--
St
I know the outcome of the X9.31 RNG transition issue.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
__
On 12/02/2015 11:16 AM, Steve Marquess wrote:
> If you don't know or care what FIPS 140-2 is, be very glad this isn't
> your problem and turn your charitable attentions to some worthy cause.
>
> The CMVP has introduced a new policy that will result in the effective
> termination
1 with
those modules. The paper shuffle basically consists of removing most
mentions of X9.31 RNG from the Security Policy document. Any application
that has deliberately and explicitly enabled a non-default use of the
X9.31 RNG would need to be changed, independently of the paper shuffle,
but I do
On 12/14/2015 08:23 AM, Steve Marquess wrote:
> On 12/02/2015 11:16 AM, Steve Marquess wrote:
>> If you don't know or care what FIPS 140-2 is, be very glad this isn't
>> your problem and turn your charitable attentions to some worthy cause.
>>
>> The CMVP
t allowed to
fix vulnerabilities (e.g. Lucky 13).
So no.
We will address all new FIPS 140-2 requirements, and known
vulnerabilities, and support of OpenSSL 1.1, if and when we're in a
position to pursue a new open source based validation to succeed the
current #1747/#2398/#2473.
-Steve M.
--
Steve
ts three validations (#1747, #2398, #2473).
-Steve M.
[1] For masochists only: http://openssl.com/fips/aftermath.html
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: htt
We will undertake another tilt a the windmill with the prerequisites
Rich noted above, but I think a successful outcome for the sixth
such validation will also require the engagement of politically adept
stakeholders.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Ad
kled with the magical pixie dust of
FIPS 140-2 validation.
Writing the code isn't trivial, but that has never been the hard part...
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
cryptographic module). I check the NIST CMVP web site[*] every day
to see what they have or haven't done in the last 24 hours, and will
announce any results here if and when there is anything to announce.
-Steve M.
[*] http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
--
S
OpenSSL need to be built for that target platform,
not the build system.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0
on a new validation with new algorithms, etc.,
> unless we get one or more sponsors who are willing to contribute a
> significant amount of money, among other things.
Correct ... we are eager to do so but lack the opportunity at present. I
remain hopeful that we will be able to attempt this at some po
de as sudo, I get this error:
>
> error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not
> supported
Your specific platform isn't supported. The OpenSSL FIPS module doesn't
run on as many platforms as OpenSSL proper.
-Steve M.
--
Steve Marquess
OpenSSL Software Fo
On 12/21/2015 07:06 AM, Jakob Bohm wrote:
> On 18/12/2015 19:58, Steve Marquess wrote:
>> On 12/18/2015 12:58 PM, jonetsu wrote:
>>> Fair enough (in this context). But what about the code itself, is it
>>> ready
>>> to be RSA 186-4 compliant ?
>> We thin
l 3" validation?:
https://en.wikipedia.org/wiki/FIPS_140-2#Level_3
The OpenSSL FIPS Object Module v.20 validations are Level 1, as is the
case with all software-only validations. The higher level validations
are much more closely tied to specific hardware devices.
-Steve M.
--
Steve Marqu
rectory" means.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
___
openssl
consideration, instead you must ask
"is there a validated product available that will allow X"? You can't
code your way to FIPS 140-2 validated status, you have to find and use
something that is already validated.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
A
cial link step for FIPS enabled applications,
> perhaps also some of the other required steps from the FIPS
> module users guide.
>
See https://openssl.org/docs/fips/UserGuide-2.0.pdf.
The FIPS module requires special build-time voodoo to satisfy the
peculiar requirements of the
ndated process its FIPS-ness is unaffected by OpenSSL.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-
t an enabled cipher in FIPS mode.
It depends on the version. Recent versions of OpenSSL will give a "FIPS
mode not supported" error for
env OPENSSL_FIPS=1 openssl md5 ...
Whereas that command for a properly built FIPS-enabled OpenSSL will give
a "not permitted in FIPS mode" error
re. Then take the resulting fipscanister.* and
fips_premain.* files and version control those from then on out. Don't
try to continually rebuild the FIPS module from source that cannot be
modified anyway.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD
On 02/04/2016 05:31 PM, Steve Marquess wrote:
> On 02/04/2016 03:19 PM, Yang Hong wrote:
>> Hello folks.
>>
>>
>> I follow the latest User Guide 2.0 to build iOS the FIPS Object Module
>> and FIPS Capable library for iOS devices (*/E.2 Apple iOS Supp
hen we test more iOS versions we'll make changes as appropriate.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
_
Tediously documented in the "hostage/ransom/aftermath" trilogy at
http://openssl.com/fips/
[2] See https://openssl.org/blog/blog/2015/09/29/fips/
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571
call on my smarter
colleagues for assistance.
There are others who may be able to help, for instance Jeff Walton.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp ke
s at revision
2.0.12 along with the RNG transition wordsmithing.
Thanks again to DataGravity for making this "RNG transition" compliance
possible by paying the test lab fees.
-Steve M.
[*] The de-listed validations can be found at
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/14
tart. Also note the OpenSSL FIPS User Guide,
https://openssl.org/docs/fips/SecurityPolicy-2.0.pdf.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
g
On 02/13/2016 04:58 AM, Kyle Hamilton wrote:
>
> On 2/12/2016 2:03 PM, Steve Marquess wrote:
>> On 02/12/2016 04:26 PM, Kyle Hamilton wrote:
>>> I'm not seeing anything about openssl-fips-2.0.11 in
>>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.h
and openssl.conf. See the FIPS user
guide, https://openssl.org/docs/fips/UserGuide-2.0.pdf, section 5.2.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.co
" option in the
presence of the FIPS module) will behave just like stock OpenSSL until
the FIPS mode of operation is enabled. At that point many cryptographic
operations are automagically disabled; but that's not the same thing as
changing the API.
-Steve M.
--
Steve Marquess
OpenSSL Software
openssl.com/> (2473). Does that mean that we
> now have a FIPS compliant Open SSL again?**
You missed my post yesterday:
https://mta.openssl.org/pipermail/openssl-users/2016-January/002858.html
Note it's not a simple yes/no kind of answer.
-Steve M.
--
Steve Marquess
OpenSSL S
r if source code tweaks are necessary), you can
fund addition of your platform(s) of interest to one of the validations.
That is how the list of formally tested platforms has over time grown to
more than 120 "OEs", more than any other validated module.
-Steve M.
--
Steve Marquess
OpenSSL
t; the validated crypto is necessarily inferior to its
unvalidated equivalent (e.g. stock OpenSSL in the case of the OpenSSL
FIPS Object Module) by every real world metric (security, performance,
maintainability).
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstow
ive
their customized OS a distinctive brand name (e.g. "AcmeOS 1.0") so that
the same formally tested OE will cover multiple Linux kernels under that
OS brand name and unchanged OS version number.
It would be a bit of a stretch to re-brand Microsoft Windows, though.
Your options are to le
y:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747
So once again all three of the OpenSSL FIPS Object Module v2.0
validations are shown as successfully surviving the "RNG transition".
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephrai
occurrence. So,
don't panic yet. I think we will eventually receive confirmation that
this red-letter message is an error and that it will be corrected.
Such confirmation may take some time, though. Similar errors in the past
have remained uncorrected for months.
-Steve M.
--
Steve Marquess
OpenSSL
0. I'm not even going to try and guess how long
they'll take to review it; we've had to wait over six months for similar
(no new platforms) change letters.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301
distros, and generally found it more trouble than it was worth to try
try replacing bundled vendor packages, as opposed to installing a new
OpenSSL along with new versions of the OSS products that used it (such
as OpenSSH, Apache httpd, Stunnel, etc.).
-Steve M.
--
Steve Marquess
OpenSSL Softwar
a "FIPS capable" OpenSSL, as I haven't looked at the Ubuntu
modifications. Try it and see.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.c
ith
that objective (to some extent anyway, by forcing the POST to even in
the more common case where FIPS 140-2 was not desired). So that design
objective will not be fully achievable in future validations.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstow
On 01/22/2016 04:28 PM, security veteran wrote:
> Hi All,
>
> What type of license does OpenSSL FIPS modules have? Is it the same as
> the OpenSSL license, or is it a different license?
>
> Thanks.
Same license.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829
labeled "X9.31 RNG transition, December 31, 2015".
[2] Details for masochists only: http://openssl.com/fips/ransom.html
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key
"FIPS enabled" mechanism just so that vendors would
not need to ship two different sets of binaries to their customers who
do and don't care about FIPS 140-2. Ship the "FIPS enabled" OpenSSL
libraries to all your customers, and those who don't explicitly enable
FIPS mode won't s
set of shared libraries can be used for all
processes, both those that care about FIPS 140-2 and those that don't.
The OpenSSL + OpenSSL FIPS module combination (the "FIPS capable"
OpenSSL) was designed for such dual use so that the FIPS behavior
wouldn't be seen *unless* FIPS_mode_se
ill snail-mailing CDs (see
http://openssl.com/fips/verify.html).
-Steve M.
[1] A tedious discussion starts at http://openssl.com/fips/hostage.html
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu..
module is not fipscanister.o, but
the TEXT and RODATA data within it.
To use your analogy, the fipscanister.o "can" contains only one tomato
which is an indigestible and indivisible blob that appears intact in the
baked quiche. Bon Appétit.
-Steve M.
--
Steve Marquess
OpenSSL Validation Servic
ation thing) and
move on; I didn't and was condemned to an eternity of tilting at the
FIPS 140-2 windmill...
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
pixie dust detector. We cannot
make one; no one can.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-use
s).
At a minimum you'll need an official CD (section 6.6; yup, snail mail is
a "trusted path"). We're still sending those out for free, in spite of
the significant financial losses the OpenSSL FIPS business sustained
last year.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services,
l suffice as
proof a product is using a validated cryptographic module. It is even
less possible than the "secure backdoor" in FBI/DoJ fantasies.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 87
not supported:o_fips.c:92:
> ...
You linked your test program with a stock version of OpenSSL, not the
"FIPS capable" OpenSSL that contains the OpenSSL FIPS Object Module.
Building of the "FIPS capable" OpenSSL is discussed in the OpenSSL FIPS
User Guide:
https://www.op
han a week behind
us, and we haven't been offered the bazillion dollars and a pony it
would take for us to agree to relinquish that validation.
I've asked the accredited test lab to contact the CMVP to correct it.
Based on past experience that could take days to weeks.
-Steve M.
--
Steve Marques
cific answers to hypothetical
questions from the CMVP. Test labs may say "well, we're not sure", or
different labs may give diametrically different answers. Sometimes the
best way to answer such questions is to submit a formal validation
action to elicit a definitive response.
--
Steve Mar
d for OpenSSL proper or other more conventionally maintained
software.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
with
ones experienced with 501(c)) don't see a viable path worth the
substantial investment it would cost us.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
20-22 Wenlock Road
London N1 7GU
United Kingdom
+44 1785508015
+1 301 874 2571 direct
marqu...@opensslfoundation.org
ste...@op
hey open for business. I suspect we'll run into
the U.S. web server location issue, but I'll check.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
20-22 Wenlock Road
London N1 7GU
United Kingdom
+44 1785508015
+1 301 874 2571 direct
marqu...@opensslfoundation.org
ste...@openssl.org
--
openss
On 05/12/2016 09:39 AM, Steve Marquess wrote:
> On 05/11/2016 06:04 PM, Johann v. Preußen wrote:
>> i am sorry if i have wasted your time on non-profit formation and
>> taxation issues when i put my CPA hat on. i originally meant to point
>> out some banking alternatives an
ain. We have turned down other donations-with-strings opportunities in
the past for similar reasons.
Also, while we value the individual donations received via PayPal, the
bulk of our donation funding has been received via bank transfers
(Swift/ACH), and that is unaffected by the closing of our PayPal
he IRS does not look kindly on our type of
open source project.
That is one of the reasons we need to relocate outside of U.S. jurisdiction.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
m
re is a requirement
that the web site on which payments are processed be located in the U.S.
Our servers are all in Europe, appropriately so.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
20-22 Wenlock Road
London N1 7GU
United Kingdom
+44 1785508015
+1 301 874 2571 direct
marqu...@openss
On 05/06/2016 10:29 AM, Jakob Bohm wrote:
> On 06/05/2016 15:26, Steve Marquess wrote:
>> On 05/06/2016 09:14 AM, Jakob Bohm wrote:
>>> On 06/05/2016 13:45, Salz, Rich wrote:
>>>>> Consider having the non-U.S. person do the account setup too.
>>>>&
problem.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.
lternative to switch to instead
(suggestions welcome if there are options I'm unaware of).
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
20-22 Wenlock Road
London N1 7GU
United Kingdom
+44 1785508015
+1 301 874 2571 direct
marqu...@opensslfoundation.org
ste...@openssl.org
--
openssl-use
On 05/05/2016 07:52 PM, debbie10t wrote:
> Hello,
>
> On 05/05/16 21:41, Steve Marquess wrote:
>> We've had a PayPal account for years, as the most convenient way for
>> individuals to send small donations. However, as the person who has
>> managed that account I can at
ively worked, and I'm sure we'll solve it
eventually. I initially (as someone who has created multiple U.S.
companies) thought it would be as easy as you assume. It's been an
education.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
20-22 Wenlock Road
London N1 7GU
United Kingdom
+44 178
at category anyway; OpenSSL is not a
U.S. centric organization. Our U.S. connections are only due to the
circumstantial fact that the OpenSSL team member (me) who initially set
up our banking arrangements happened to be American.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 M
I've spent an unbelievable amount of time on this.
If there is a non-U.S. bank willing to have OpenSSL as a customer I'd
love to talk to them. We've even created non-U.S. corporate entities (in
IoM and BVI) for that purpose; after many months they remain bankless.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundatio
ted in alphabetical order in table 2.10b.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
On 05/05/2016 04:41 PM, Steve Marquess wrote:
> We've had a PayPal account for years, as the most convenient way for
> individuals to send small donations. However, as the person who has
> managed that account I can attest that PayPal has always been rather
> annoying to deal wi
rmal software engineering best practice
for building OpenSSL proper (e.g. 1.0.2g) and your application code, and
automation would make more sense.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direc
ut the
CMVP required the specification of fixed build commands from the very
first validation.
No requirement that a specific version of "gunzip" be used, so the use
of a script would appear to be permitted.
Confusing, for sure...
-Steve M.
--
Steve Marquess
OpenSSL Validation Ser
On 04/19/2016 10:43 AM, Jakob Bohm wrote:
> On 19/04/2016 16:31, Steve Marquess wrote:
>> On 04/19/2016 09:16 AM, Jakob Bohm wrote:
>>> On 19/04/2016 13:44, Leaky wrote:
>>>> Thanks, but I am still scratching my head as to if that is even
>>>> possible o
It doesn't make sense, from the
software engineering viewpoint, but is what the FIPS 140-2 validation
bureaucracy insists on.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
mar
On 04/18/2016 08:25 PM, Jakob Bohm wrote:
> On 19/04/2016 01:51, Steve Marquess wrote:
>> On 04/18/2016 04:05 PM, Leaky wrote:
>>>>> plus you're constrained by the
>>>>> requirements of the Security Policy to build the module with precisely
>>>>&
is tedious so please note that going forward we'll
need better evidence that new contributors are real OpenSSL users. How
we do that we'll need to figure out as we go; please bear with us.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
20-22 Wenlock Road
London N1 7GU
United Kingdom
+44
link process, but you cannot put the FIPS module in a
conventional static library (as managed with "ar").
Unfortunately the requirements of FIPS 140-2 conflict in several ways
with standard software engineering practice; it is the tail that wags
the dog.
-Steve M.
--
Steve Marquess
The background discussion there will still be relevant for the new FIPS
module.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D189
expense and
trouble of obtaining a copycat validation, there's no reason for you
*not* to use 2.0.13. That way you'd potentially have coverage for more
platforms.
-Steve M.
[*] Removal of Dual EC DRBG -- arguably a vulnerability mitigation -- at
revisions 2.0.6 and 2.0.8 is a singular exception to that r
301 - 400 of 416 matches
Mail list logo
