Steve, First let me clarify that it isn't my intent to challenge OpenSSL validation. In fact the reason I started down this path is because I have a product that uses v1.2 and needs to claim FIPS compliance. I cannot legitimately make that claim if v1.2 is not listed.
However I have sent a query to CMVP to get clarification. If CMVP says I am mistaken, I will be extremely happy. In the meantime, your response did not address the CMVP FAQ I pointed to which backs up what I am saying. I am reproducing it here again: *"**When a module is validated, an entry is posted on the CMVP web site valuation list along with a softcopy of the initial printed validation certificate. The hardcopy validation certificate is for informational purposes only. The CMVP web site validation list is the official source of validation information in reference to the module. If changes are made to the module that would change the referenced certificate information, only the web site validation list is updated." *This clearly indicates that the CMVP website is the official source of validation information. This infers that the version listed on the validation website is the validated version. Do you interpret this differently? Thanks! -Ashit On Thu, Mar 8, 2012 at 6:49 PM, Steve Marquess < marqu...@opensslfoundation.com> wrote: > On 03/08/2012 06:09 PM, Ashit Vora wrote: > > Regarding the certificate, it will never be updated. Whenever the CMVP > > updates a listing because of a change letter process (IG G.5 scenario 1) > > they only update the website listing. They never update the certificate. > > The understanding is that the website listing supersedes the > > certificate. Please see CMVP FAQ > > (http://csrc.nist.gov/groups/STM/cmvp/documents/CMVPFAQ.pdf) section > > 5.9, "If the CMVP validation web site does not match the posted > certificate, > > which is valid?": > > / > > When a module is validated, an entry is posted on the CMVP web site > > valuation list along with a softcopy of the initial printed validation > > certificate. The hardcopy validation certificate is for informational > > purposes only. The CMVP web site validation list is the official source > > of validation information in reference to the module. If changes are > > made to the module that would change the referenced certificate > > information, only the web site validation list is updated./ > > > > Also note that the security policy that is currently linked to on the > > website only mentions 1.2.3 as the validated module. There is no mention > > 1.2. > > It is mentioned: "...The v1.2.3 Module can be used in any environment > supported by the earlier v1.2 Module.". I can see where you may have > been confused by that and the statement "Note that the OpenSSL FIPS > Object Module v1.2.3 completely replaces the earlier OpenSSL FIPS > Object Module v1.2.", but those refers to the functional completeness of > the modified module (the fact that there is no OE for which only an > earlier revision works); *not* the legitimacy of the original validation. > > > All of this points to the conclusion that 1.2 is not FIPS validated > > currently. > > Sorry, I still disagree. Of course the certificate isn't updated, that > was my point (and now no individual certificate is issued at all). > > A change letter mod is an update to an existing validation, not a new > validation. Only the new changed element(s) are considered and previous > validation review and testing is not repeated. For instance, the most > recent mod was to add two new platforms. None of the prior OE testing, > or source code or document review was repeated, because all of that > prior testing remains valid. Ditto for the earlier mods. By your theory > all of the hundreds of thousands (millions...?) of deployed instances of > the 1.2, 1.2.1, 1.2.2 modules have retroactively become illegitimate -- > a significant fraction of all deployed FIPS 140-2 validated software. I > do not believe that is the case and I leave it to you to prove otherwise > by filing an objection with the CMVP (yes, anyone can challenge the > legitimacy of our validations and that was in fact done a number of > times for the early OpenSSL FIPS Object Module Validations). > > > If the intention was to not remove 1.2, I would highly > > recommend contacting your FIPS laboratory and getting it changed. It > > would be quite simple to change this. My suspicion is that when the > > laboratory submitted the change letter they forgot to include 1.2 in > > the list of changes required to the validation. As such CMVP removed > > 1.2 listing. > > We did not "forget" anything, for any of the change letter mods (via > multiple labs, incidentally). The updates were all carefully designed to > be strictly cumulative, differing only in the addition of new OEs with > newer revisions subsuming but not invalidating earlier ones. > > -Steve M. > > -- > Steve Marquess > OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877 673 6775 s/b > +1 301 874 2571 direct > marqu...@opensslfoundation.net >
