Michael S. Zick wrote:
On Fri January 9 2009, Kyle Hamilton wrote:
> You're looking at the User Guide. This isn't the right thing to
> look at; the relevant document (and indeed the controlling
> document) is the Security Policy,
> http://openssl.org/docs/fips/SecurityPolicy-1.2.pdf , and the
> relevant section is Appendix A, "Installation Instructions".
>
> It's very likely that the User Guide has been updated from the
> 1.1.x series, and that particular section wasn't. But, the User
> Guide is not the be-all and end-all; it doesn't get validated, and
> indeed wasn't even released for v1.2 for several weeks after the
> validated v1.2 module was released. The Security Policy, however,
> is validated in conjunction with the software.
>
> To reiterate the warning at the end of the configuration process:
> the result is not and cannot be claimed to be validated if you did
> not follow the Security Policy *exactly*.
>
Now there is an interesting read. Check the last entry of Table 2.2 -
The newest machine added to my collection uses a higher density power
connector to the motherboard than that specified. Which means the
module is not validated when used on that machine.
There are some aspects of FIPS 140-2 that could be politely referred to
as "non-intuitive". The applicability of a validation to specific
tested platforms is one of those. Per the CMVP Implementation Guidance
document
(http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf,
section G.5) a validated module can be used on other platforms beyond
those specifically enumerated in the validation certificates and
Security Policy on a "vendor affirmed" basis. See Chapter 3 of the User
Guide (http://www.openssl.org/docs/fips/UserGuide-1.2.pdf) for more
discussion.
There are some other aspects of FPS 140-2 that IMHO badly need a reality
check, but fortunately this isn't one of them.
_I_ don't have any need to run in FIPS mode - but other people do,
and they need to examine the motherboard power connector in use to be
sure it meets the policy requirements.
Actually most of the formal requirements that I am aware of mandate
*procurement* of FIPS validated software, not actual runtime use of FIPS
mode. And in practice you'll find a lot more procurement than use in DoD.
Don't we all just love dealing with government regulations? ;)
Yes, as a consultant making a good living at it I do. If there was less
silly nonsense I'd have to get a real job :-)
-Steve M.
Open Source Software Institute
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
