In the three years since the open source based FIPS 140-2 validated
OpenSSL FIPS Object Module became available many software vendors have
directly or indirectly utilized it to realize substantial cost and
schedule savings. We're glad to see the widespread benefits of these
hard won validations.
Recently I've been contacted by many OpenSSL users and software vendors
concerned about upcoming changes announced by the CMVP (the government
agency responsible for FIPS 140-2 validations). Briefly stated, these
changes will mean that the current OpenSSl FIPS Object Module v1.2 may
not be usable beyond the current year (see
http://openssl.org/docs/fips/fipsnotes.html for some more discussion).
Those concerns are not relieved when I respond that we have no plans at
present to pursue a new validation that would result in a OpenSSL FIPS
Object Module usable after 2010. However, that situation is due to a
lack of funding and not a lack of interest on our part. We will tackle
a new validation with enthusiasm at the first opportunity.
The purpose of this open message is twofold:
First, to note that we are actively soliciting sponsors for a post-2010
FIPS 140-2 validation of the OpenSSL FIPS Object Module. We don't know
the precise cost for several reasons including the number of platforms
that would be covered, the degree of refactoring that would be
appropriate, or the resolution of several ambiguous areas in the draft
CMVP transition announcements. However, we're fairly comfortable that
the total cost would be in the range of US$50,000 to US$150,000. That's
a huge sum to us but a relatively modest amount for some major
corporations utilizing OpenSSL.
Second, to note that I consider it highly probable that we will
eventually find funding for this effort, the real question is whether
that funding will materialize in time to obtain a new validation before
the current one becomes obsolete. The economics are simply too
compelling for any of a number of large software vendors that would
otherwise be faced with paying a comparable cost for commercial
proprietary licenses. One or more of these vendors will do the math
and, reluctantly, step forward to make it happen. The reluctance is
understandable because that vendor will effectively be carrying the
burden for the entire industry; that's one of the dilemmas of the open
source world.
It would make more sense for multiple vendors to jointly sponsor the
cost. I encourage any potential sponsors to contact us with the amount
they would be willing to sponsor and the specific platforms they would
want included. We'll keep track of the total until we think we have
enough to launch a validation effort. then pull everyone together to
make it happen.
As for timing, note that a six month timeframe to obtain a validation is
the most optimistic I would dare hope for. Nine or more months is more
realistic. One apparently uncomplicated validation we worked on took
thirteen months, and the very first open source based validation took
five years. It's not a speedy process and it can't be hurried once the
paperwork is submitted to the CMVP, and that's the stage that consumes
the most time. The sooner we can start the better.
Thanks,
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
