Steve, Please see response from Randy (CMVP Director) below. It clearly indicates older versions (including v1.2) are no longer considered validated since they are not listed on the website:
*"Ashit, You can always view the change history by downloading the CMVP Validation DB from: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140-1val.zip For Cert. #1051: 11/20/09: Added new OS and updated Security Policy. 12/08/10: Replaced SW v1.2.2 and updated Security Policy. 05/12/11: Replaced SW 1.2.2 with 1.2.3, added OE Android 2.2 (gcc Compiler Version 4.4.0); VxWorks 6.7 (gcc Compiler Version 4.1.2), added Triple-DES #1011 and #1066, AES #1534 and #1630, DSA #475 and #512, SHS #1362 and #1435, HMAC #892 and #957, RSA #745 and #804, RNG #826 and #873, and updated Security Policy. 03/07/12: Added OEs Wind River 1.4 (gcc Compiler Version 3.4.0) and Wind River 4.0 (gcc Compiler Version 4.4.1). Added Triple-DES #1259, AES #1933, DSA #616, SHS #1698, HMAC #1167, RSA #999 and RNG #1018. Updated security policy. The vendor/testing laboratory indicates when a change request is sent to the CMVP, whether the new version is added to the current or replaces the current. As the lab/vendor knows, validation is version specific. So if they replace a version, that means anyone who has that version now has a non-validated version. We usually ask the lab when they ask for a replacement to make sure they know what they are asking. So for this module, only v1.2.3 is valid. I cannot provide additional details regarding the nature of the change requests themselves as that is proprietary information. Suggest you may ask the vendor. Randy ---- Randall J. Easter Director Cryptographic Module Validation Program (CMVP) - NIST Computer Security Division - Security Testing, Validation and Measurement Group 100 Bureau Drive, Suite 8930 Gaithersburg, MD 20899 301-975-4641 (Voice) 301-975-4007 (FAX) www.nist.gov/cmvp"* Given this do you plan to get the certificate updated with older version (I really care about v1.2 only right now)? Thanks! -Ashit On Fri, Mar 9, 2012 at 7:34 AM, Steve Marquess < marqu...@opensslfoundation.com> wrote: > On 03/08/2012 08:49 PM, Ashit Vora wrote: > > Steve, > > > > First let me clarify that it isn't my intent to challenge OpenSSL > > validation. In fact the reason I started down this path is because I > > have a product that uses v1.2 and needs to claim FIPS compliance. I > > cannot legitimately make that claim if v1.2 is not listed. > > > > However I have sent a query to CMVP to get clarification. If CMVP says I > > am mistaken, I will be extremely happy. > > Only the CMVP can speak authoritatively about FIPS 140-2, so filing an > challenge with them is exactly the right thing to do if you have > concerns. It's always possible that the judgment of two test labs (and > myself) was completely wrong. > > > In the meantime, your response did not address the CMVP FAQ I pointed to > > which backs up what I am saying. I am reproducing it here again: > > /"//When a module is validated, an entry is posted on the CMVP web site > > valuation list along with a softcopy of the initial printed validation > > certificate. The hardcopy validation certificate is for informational > > purposes only. The CMVP web site validation list is the official source > > of validation information in reference to the module. If changes are > > made to the module that would change the referenced certificate > > information, only the web site validation list is updated." > > > > /This clearly indicates that the CMVP website is the official source of > > validation information. This infers that the version listed on the > > validation website is the validated version. > > > > Do you interpret this differently? > > I do, in that I do not see revocation or repudiation of any previously > validated modules for validation #1051. > > -Steve M. > > -- > Steve Marquess > OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877 673 6775 s/b > +1 301 874 2571 direct > marqu...@opensslfoundation.net >
