> Hi, > > I had a few questions regarding the new OpenSSL FIPS object module. > > 1) What would be the time frame for completing FIPS 2.0 validations?
At present we anticipate the formal validation award in Q1 of 2012. The original schedule has slipped from Q4 2011 due to a recent request by our primary sponsors to increase the scope of the validation. > Also, around what time frame do you think will FIPS capable openssl > 1.0.1 distribution be available for public use? That is ready now, in the 1.0.0 stable branch. Note the FIPS module itself is *not* in that branch, use the purpose built snapshots instead (ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-2011MMDD.tar.gz). > 2) Are the latest snapshot distributions of FIPS 2.0 & openssl 1.0.1 > (found in ftp://ftp.openssl.org/snapshot/) in a state that can be > used for private validation by us users? Or is it too early? Well, the currently available code in the repository is functional, absent the new cryptography, as described in the earlier "call for testing" (http://www.mail-archive.com/openssl-users@openssl.org/msg64826.html). So anyone is free to use that code as the basis for obtaining their own FIPS 140-2 validation, and we expect that more than a few vendors will do that. However, since the OpenSSL FIPS Object Module 2.0 validation has not yet been completed and published, such an initiative will need to independently tackle some of the issues that have arisen with the new CMVP guidance effective in 2011. What we (OSF) can do (and have done) is sign vendors up for a "private label" validation now, with the same test lab and with arrangements for the vendor platforms to be tested in parallel with the 2.0 module platforms. That way we can submit the private label validations at the same time as the 2.0 one, and since the open source validations seem to attract closer scrutiny the private label validations will probably be awarded sooner. With a couple of uncomplicated platforms such "private label" validations run about US$40K, not a bad price as validations go. > 3) In the OpenSSL validation effort, will Mac OS be one of the > tested platforms? Can you share list of platforms that will be > tested? The current list can be found at http://opensslfoundation.com/testing/validation-2.0/platforms/Platforms.pdf. Mac OS is not currently among them. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com
