On 06/28/2012 06:42 PM, Keith Bennett wrote: > I do wonder if this is the proper time & place to discuss the > implications of requiring source code to have been obtained by a > "secure path" excluding the internet. Can an internet-enabled open > source therefore be considered "secure" by that definition?
The requirement for "secure path" excluding the internet seems to be somewhat ridiculous at least at first sight. You can sign the distributed source and the downloader can check the signature to ensure validity. But the above assumes the downloader already have a cryptographic package secure enough. Given that one definition of "secure enough cryptographich package" is "FIPS validated", it can be argued that the requirement makes sense for this class of software. You cannot go with the above assumption. So I would say that from a theoretical viewpoint requiring someone to obtain cryptographic software in an off-internet path does make sense. However I don't think the requirement have any practical impact beyond that those in need of formally providing FIPS validated crypto subsystem have to pay a small amount to FedEx. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
