-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
William A. Rowe Jr. wrote on 03/31/2010 01:20 AM:
> On 3/30/2010 10:58 AM, Gatewood (Woody) Green wrote:
>>
>> I assume the 2010 limit on new validations is the impending finalization
>> of 140-3.
>
> What you are thinking of won't be designated 140-3, it's not sequential,
> there is such a FIPS level already. Probably FIPS-{new}-2 or FIPS-140-2 2010
> or something like that.
>
> FIPS 140-3 implies a level of physical validation that an open source project
> isn't able to consider validating to. If you were to bundle OpenSSL-FIPS into
> a sealed card, and add the appropriate cert/key mgmt, then you could consider
> applying for FIPS 140-3 validation for such a physical device.
Actually, no 140-3 will be successor to 140-2 which is successor to
140-1. The hyphenated number is a release version.
You are trying to talk about FIPS 140-2, Level 3 certification in your
example. (bottom of page two in the gov't 140-2 PDF; see link below)
The levels are *within* the particular 140-x standard. Case in point,
the original draft of 140-3 contained five levels but has since been
reduced back to four as is in the 140-2 version. Second example, we
have 140-2, Level 2 certification on a subset of our products (version,
model and product specific).
A reading of the gov't's own file titled "fips1402.pdf" contains data on
all four levels of 140-2 certification.
Note the phrasing used in the second paragraph and the security levels
starting at the bottom of page one in:
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
Backed by the wording "The Revised Draft FIPS 140-3 is the second public
draft of NIST’s proposed revision of FIPS 140-2." on:
http://csrc.nist.gov/publications/PubsDrafts.html
And finally, 140-2 certifications issued continue to be valid even after
the release of 140-3, but *new* certifications will be required to meet
the 140-3 stricter standard. My original question was centered around
the idea of whether the 2010 limit Steve M. mentioned was due to the
upcoming release of 140-3, a possible update to 140-2 prior to the
finalization and release of 140-3 or if he thought the openssl-fips-1.2
certificate might be revoked (as has happened once before with 1.1.2 if
I remember correctly).
Thanks,
Woody
- --
- -----------------------------------------------------------------------
Gatewood Green Sr. Software Engineer/Network Admin
Email: wo...@nitrosecurity.com
http://www.nitrosecurity.com/ NitroSecurity
- -----------------------------------------------------------------------
Imagine, if you will, a world in which there are no hypothetical
situations...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org/
iEYEAREDAAYFAkuzvL8ACgkQHnsUla8nzK07GwCfVwX7jVP9T2nPtHzawKHdAVaZ
EdIAnioJrMbH7hIpFW2g8emBOTpobgbu
=eTij
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
