Re: OpenSSL 1.0.0 FIPS module

Thu, 29 Jul 2010 08:28:20 -0700 

ja...@nixsecurity.org wrote:

Hello,
Aside from searching the net, I've learned that the FIPS module for OpenSSL 1.0.0 requires funding for the project and availability of the next FIPS revision (I think). I'm curious if there's an ETA on the module at all? I've also noticed that Redhat (Fedora) is pushing OpenSSL 1.0.0 with FIPS, I'm assuming they've either modified the FIPS module to be compatible with OpenSSL 1.0.0, they've obtained their own module by other means or some other method. 

Any information on this would be helpful.

Thanks in advanced,
James
I'll have to speculate here as I've had no contact with Red Hat, but it appears that they have obtained their own proprietary validation based on OpenSSL (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1320). This is a pretty common thing for proprietary software vendors to do, and obtaining such a binary validation is much easier than for the open source based ones (e.g. the OpenSSL FIPS Object Module v1.2, #1051). I've been told by those in the know that the *majority* of all software validations are based on OpenSSL.
There is no schedule for a new open source based 1.0 compatible validation because we have no funding. In fairness to the commercial vendors like Red Hat, it isn't to their economic advantage to support a validation that could be leveraged by their competitors. To those vendors who do have validated crypto modules the FIPS 140-2 procurement requirements are a marvelous advantage that lock out a lot of potential competition, well worth the (significant) expense.
Not such a good deal for the U.S. and Canadian taxpayers, as they indirectly pay for many validations of essentially the same software, but there is currently no one really representing that interest (the previous validations did receive significant financial support from the U.S. government and DoD, but that was all done on a one-off basis). 

-Steve M.

--
Steve Marquess
The OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to