carlyo...@keycomm.co.uk wrote: > We want to use the FIPS 140-2 compliant OpenSSL module for certain > customers...
By which I assume you mean the OpenSSL FIPS Object Module v1.2 (cert # 1051). > ... When interpreting FIPS 140-2, my understanding is ... ... does > that invalidate the FIPS 140-2 compliance of AES use? If you're asking "is product X FIPS 140-2 validated?" then the answer is easy for any X -- it's validated if the CMVP says so (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm) and the vendor asserts that X is covered by one of those certificates, otherwise it isn't. Regardless of what the product does or doesn't actually do. I'm not trying to be flippant here, just pointing out that the status of "FPS 140-2 validated" is a very specific, formal, and official designation by one and only one authority, the CMVP. Now the term "FIPS 140-2 compliance... " is an interesting one. I like to use it as a consultant when I can't legitimately use the term "validated", in the hope that it will be conflated with that latter term :-) I think the only really hard and fast meaning you can give the term "FIPS 140-2 compliant" is to state that a validated product is necessarily a compliant product. The converse is definitely not true. But personally as a layman I try very hard to avoid arguing FIPS 140-2 scripture with anyone, least of all the high priesthood, the CMVP. > SP800-38a is only a recommendations publication, but does state that > conformance testing of the specified modes of operation [...] will be > conducted within the framework of the CMVP. "conducted within the framework of the CMVP" == validation. Yes, dodged your question about SP800-38a, sorry. As noted above I'll defer to others else on scripture interpretations. -Steve M. -- Steve Marquess Veridical Systems, Inc. marqu...@veridicalsystems.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
