On 03/08/2012 08:49 PM, Ashit Vora wrote: > Steve, > > First let me clarify that it isn't my intent to challenge OpenSSL > validation. In fact the reason I started down this path is because I > have a product that uses v1.2 and needs to claim FIPS compliance. I > cannot legitimately make that claim if v1.2 is not listed. > > However I have sent a query to CMVP to get clarification. If CMVP says I > am mistaken, I will be extremely happy.
Only the CMVP can speak authoritatively about FIPS 140-2, so filing an challenge with them is exactly the right thing to do if you have concerns. It's always possible that the judgment of two test labs (and myself) was completely wrong. > In the meantime, your response did not address the CMVP FAQ I pointed to > which backs up what I am saying. I am reproducing it here again: > /"//When a module is validated, an entry is posted on the CMVP web site > valuation list along with a softcopy of the initial printed validation > certificate. The hardcopy validation certificate is for informational > purposes only. The CMVP web site validation list is the official source > of validation information in reference to the module. If changes are > made to the module that would change the referenced certificate > information, only the web site validation list is updated." > > /This clearly indicates that the CMVP website is the official source of > validation information. This infers that the version listed on the > validation website is the validated version. > > Do you interpret this differently? I do, in that I do not see revocation or repudiation of any previously validated modules for validation #1051. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.net ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
