> It seems to me that the easiest thing to do is maintain that release of
OpenSSL by themselves.
>Which would be another variation of such unofficial work.
You could look at things like that. I consider it to be more like "your free
FIPS ride is done, time to pay up"
>That
I think it’s worth pointing out that OpenSSL is itself a non-profit and that
FIPS validations cost a significant amount of money.
Until about a year ago, there was also a notable absence of FIPS sponsors.
Pauli
--
Dr Paul Dale | Cryptographer | Network Security & Encryption
Phone +61 7 3031
On 08/07/2019 10:12, Dr Paul Dale wrote:
I have to disagree with the “decision not to make a FIPS module for
the current 1.1.x series” comment. Technically, this is true. More
practically, 3.0 is intended to be source compatible with 1.1.x. Thus
far, nothing should be broken in this
I have to disagree with the “decision not to make a FIPS module for the current
1.1.x series” comment. Technically, this is true. More practically, 3.0 is
intended to be source compatible with 1.1.x. Thus far, nothing should be
broken in this respect.
If support for 1.0.2 is required beyond
On 06/07/2019 16:30, Salz, Rich wrote:
>> They would have to get their own validation, their own lab to verify,
etc., etc.
That seems to contradict the other answer, which is that legally, the
FIPS cannister (properly built) can be used with any software outside
the
>> They would have to get their own validation, their own lab to verify,
etc., etc.
>That seems to contradict the other answer, which is that legally, the
>FIPS cannister (properly built) can be used with any software outside
>the cryptographic boundary, the soon-to-be-deprecated
On 04/07/2019 16:44, Salz, Rich wrote:
Is the use of OpenSSL an actual legal requirement of the certification of
the FIPS object module, or just the easiest way to use it?
I'm not sure who you are asking this.
The exiting FIPS validations for OpenSSL only cover the 1.0.2 based
>Is the use of OpenSSL an actual legal requirement of the certification of
the FIPS object module, or just the easiest way to use it?
I'm not sure who you are asking this.
The exiting FIPS validations for OpenSSL only cover the 1.0.2 based source code.
>Difference would be
The FOM is stand alone in theory. I.e. it isn’t mandatory to use OpenSSL 1.0
but the two are designed to work together and are very closely intertwined.
Moving the FIPS canister forward to 1.1 would be a lot of effort.
Pauli
--
Dr Paul Dale | Cryptographer | Network Security & Encryption
Is the use of OpenSSL an actual legal requirement of the certification of
the FIPS object module, or just the easiest way to use it?
Difference would be particularly significant in case someone created code
to use the validated FOM 2.0 module with the OpenSSL 1.1.x feature
enhancements (as the
Deepak
Just take note of the FIPS 140-2 sunset, and rise of FIPS 140-3
140-3 Takes Effect: 9/22/19
140-3 New Testing Begins: 9/22/20
140-2 Sunset: 9/21/21
140-3 Mandated: 9/22/21
And best of luck ;)
Also, on question b: No. You need to build a compatible version of openssl
as specified in the User Guide, and link that version. FIPS_mode_set()
tells the library to always and only use the implementations in the FIPS
canister; the canister does not replace the library entirely.
-Kyle H
On
Step a. needs to verified the digest with an existing FIPS 140-2 validated
cryptography implementation. Otherwise, to my understanding, this is the
correct sequence of events.
Do note that after building the fipscanister.lib, you will want to digest
it and print it on a certification letter that
13 matches
Mail list logo
