Kyle Hamilton wrote:
You're looking at the User Guide. This isn't the right thing to look
at; the relevant document (and indeed the controlling document) is the
Security Policy, http://openssl.org/docs/fips/SecurityPolicy-1.2.pdf ,
and the relevant section is Appendix A, "Installation Instructions".
It's very likely that the User Guide has been updated from the 1.1.x
series, and that particular section wasn't. But, the User Guide is
not the be-all and end-all; it doesn't get validated, and indeed
wasn't even released for v1.2 for several weeks after the validated
v1.2 module was released. The Security Policy, however, is validated
in conjunction with the software.
To reiterate the warning at the end of the configuration process: the
result is not and cannot be claimed to be validated if you did not
follow the Security Policy *exactly*.
It is technically correct to state that the Security Policy is the
"relevant document". However,it should also be noted that the Security
Policy document itself (for any validation) is woefully lacking in
useful details as needed by anyone not deeply steeped in the nuances of
FIPS 140-2. What we know now as the OpenSSL FIPS Object Module User
Guide started out as part of the original draft Security Policy document
for the first validation years ago. I removed that material to become
the User Guide when I was told that the CMVP was objecting to the
growing bulk and amount of technical detail. If you look at other
Security Policy documents you will note that they all have a rather
sparse style. That's typical of formal policy related documentation in
general; those of us playing in that arena often prefer not to confuse
the issues with facts :-)
As an uncontrolled document the User Guide can contain "extraneous"
detail and can be amended as often as necessary, and I try hard to keep
it as technically complete and accurate as possible. So yes, the
Security Policy is the formally authoritative document, but the User
Guide is intended as the real world reference for programmers.
Some ambiguities in the User Guide have been noted recently, now that
I'm back from vacation I'll edit it accordingly.
-Steve M.
--
Steve Marquess
Open Source Software institute
marqu...@oss-institute.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
