Hi,We have included openssl in our product, a proprietary OS and development
environment. Customers have requested that we include the FIPS validated
version of openssl. We have included the openssl 0.9.8 base line and I am now
trying to clarify what the implications are of including the 0.9.8 FIPS module.
As understand it, the 0.9.8 FIPS module have been submitted for validation but
when the validation will be completed is unknown. This is based on the
following email from Steve Marquess
http://markmail.org/message/56dmutf7gkdhy7ib#query:OpenSSL%20FIPS%20Object%20Module%20v1.2%20order%3Adate-backward+page:1+mid:fsqhbhzfg2nkpeot+state:results
Furthermore, there seems to be FIPS changes required in openssl outside the
FIPS module. This is my conclusion after having studied the FIPS_098_TEST_8
branch in openssl's cvs server. When are these changes scheduled to be merged
into the main 0.9.8 branch and be released? We make some minor modifications to
openssl in order to port it to our enviroment. It may not be necessary to
modify the FIPS module files. And we use proprietary makefiles to build all
openssl files. As I understand it, these changes compared to the openssl FIPS
tar ball, would void the FIPS validation in our case. In this FAQ
(http://oss-institute.org/fips-faq.html#a26) a cost figure (USD 10-50K) is
stated for a re-validation for an additional OS. Would that cost figure be
applicable in our case. What steps are required in order to re-validate for an
additional OS?
To summarize, these are the steps needed:
- wait for FIPS validation for openssl 0.9.8
- wait for new openssl-0.9.8 release that includes FIPS changes
- FIPS re-validate our product
Is this summary correct? Am I missing anything?
/Roger
_________________________________________________________________
Hetaste modetipsen & härligaste skönhetstesterna!
http://salongk.msn.se/
