Michael Sierchio wrote:
Forgive my ignorance, but are you a 501(c)3? Can you communicate
that in a signature line so it's obvious?
The OpenSSL Software Foundation (OSF) is *not* a non-profit
corporation. It was created for the purpose of supporting the
commercial activities of OpenSSL team members (some of whom earn all
their income from OpenSSL related consulting work).
We did consider the benefits of non-profit status, but after legal
consultation concluded that those benefits were nil in our specific
circumstances. Achieving non-profit status under the U.S. tax code
takes a long time, is expensive, and involves restrictions on the
activities of the non-profit entity. Our primary focus is providing
paid services to the commercial software industry and not the
solicitation of charitable contributions from the world at large. We
believe that via the OSF we provide cost effective solutions to
hard-nosed commercial enterprises, and non-profit status is irrelevant
to such potential sponsors and customers (roughly speaking any expenses
a for-profit corporation incurs are "tax deductible" by default). We
don't expect nor are we soliciting contributions from individuals (I
should note that if any charitable contributions are offered -- it
happens very rarely -- the OSF will pass through 100% of any such
donations directly to OpenSSL team members).
Commercial enterprises can support us, and at the same time realize good
value for their investment, in one of three ways:
1) Hire OpenSSL team members on an hourly consulting basis
2) Contract with the OSF for specific work-for-hire development on a
fixed price basis
3) Purchase annual software support contracts
All of these revenue sources indirectly support OpenSSL activities such
as development of the FIPS module, but a support contract could be
structured to do so directly and explicitly. Such customer(s) would
then be assured that the validation would be available when needed and
that it would be directly applicable to their intended use.
Do you have a list of commercial vendors who use OpenSSL? A list of
companies that use it internally (that would be nearly everyone who
uses Linux, UNIX, *BSD, etc.)? That would be the basis of
fundraising activity (I mean making phone calls, which is something
nearly everyone can do). $150,000 is not an intimidating amount for
anyone who's done fundraising.
To my knowledge there are no companies of any significant size who do
*not* use OpenSSL in some way -- including even some very large
companies not thought to be much enamored of open source. Since we sign
and respect non-disclosure agreements I not going to mention any names
here, though I will note the commercial sponsors of past validations
that wished to be so identified are referenced on the acknowledgments
page of the respective Security Policy documents (some have elected to
not be identified).
I think $150,000 is a cost effective investment for a number of software
vendors to make to assure the continued availability of a validated
OpenSSL FIPS Object Module for their commercial applications. For most
such companies that cost is going to be less than that for switching to
a non-OpenSSL alternative, even if only one such company has to foot the
entire bill.
-Steve M.
--
Steve Marquess
The OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
