Kyle Hamilton wrote: > The FIPS validation process is... odd. And not at all conducive to the > open-source development model. > There is a certain dissonance, for sure :-) > There is no available OpenSSL FIPS Object Module v1.2. Well, yes and no. Check out the OpenSSL-fips-0_9_8-stable branch. The code we're trying to validate now is from that branch. Currently we're at tag FIPS_098_TEST_8.
> Until it passes > validation, anyway, at which point the openssl-fips-1.2.0.tar.gz file will > be made available. I don't think the source is actually even in the public > CVS. (I would like to see a preview version that I can at least link things > that use the API against, even if everything's stubbed out. :P) > The fact that the code is publicly available doesn't help anyone who wants a validated module now. We also can't know until the very end if the code will change -- the considerations behind some of the FIPS 140-2 requirements are not aways obvious, even in hindsight. The requirements and interpretations thereof evolve over time as well, even during the course of a single validation. > I do have to ask, though: is this one going to compile properly on > Intel-based Macs? 1.1 and 1.1.1 didn't. > Try it and see. If you find problems it will probably be too late to do anything for the current v1.2 validation, but we can address it for the next. Note that we haven't attempted to solicit widespread testing because of the peculiar timing of the FIPS validation process -- you have to effectively freeze the code baseline *before* starting testing. The ideal way to deal with that would be to have a continuing stream of validations in process, spaced a few months apart -- then problems found in validation N could be addressed in validation N+1. But validations are very expensive and our financial sponsorship is erratic so we proceed as resources allow. -Steve M. -- Steve Marquess Open Source Software institute [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
