Thanks, Steve.
Alex
On 7/6/12 4:36 PM, "Steve Marquess" <marqu...@opensslfoundation.com> wrote:
>On 07/05/2012 12:43 PM, Alex Chen wrote:
>> Thanks for the information, Steve. I do have some questions about the
>>FIPS
>> module.
>>
>> 1. What does 'support' mean? Does it involve source code change or is
>>it
>> simple changes in the configure script to make the code compile
>>correctly
>> in a specific OS and generate the proper library?
>
>In this context it means we expect to be adding iOS to the OpenSSL FIPS
>Object Module 2.0 (#1747) validation as a formally tested platform
>("Operational Environment"), which will mean that module can be used on
>iOS where FIPS 140-2 validation is required.
>
>> 2. Since the FIPS module 2.0 has already been certified will it require
>>a
>> new certification if iOS support is added? Or is it going to fall into
>>the
>> 'Change Letter' modification category?
>
>Yes, iOS will be added to the existing #1747 validation via a "change
>letter" process.
>
>> 3. From what is currently available, if a user wants to use OpenSSL FIPS
>> module for MacOS, the only option seems to be FIPS module 1.2.4 (and
>> implicitly OpenSSL 0.9.8)?
>
>Correct.
>
>> 4. It seems there is a sponsor for FIPS module 1.2.4 for MacOS but not
>>in
>> FIPS module 2.0. What is involved in a 'sponsorship'?
>
>Money (always!) and sometimes the provision of suitable platforms to
>test on. In the case of Mac OS X we will need access to appropriate
>hardware for the duration of the testing process (several weeks).
>
>> 5. If we take the source code and create an Xcode project to build the
>> library instead of using the configure script but use the same flags and
>> defines specified in the Makefile, will the resulting library still be
>> consider valid, assuming it passes all the tests that come with the
>>source
>> code?
>
>Only the FIPS module itself (the fipscanister object file) is validated.
>That must be generated *exactly* as documented in the Security Policy,
>and the documented process does not use Xcode for OS X. Once that is
>done there are essentially no restrictions on how you subsequently link
>it with your application code.
>
>So, you're stuck with the config/Configure scripts for the module build;
>no room for creativity there. We used Xcode to build the test programs
>used for the OS X and iOS validation testing.
>
>-Steve M.
>
>--
>Steve Marquess
>OpenSSL Software Foundation, Inc.
>1829 Mount Ephraim Road
>Adamstown, MD 21710
>USA
>+1 877 673 6775 s/b
>+1 301 874 2571 direct
>marqu...@opensslfoundation.com
>marqu...@openssl.com
>
>
>______________________________________________________________________
>OpenSSL Project http://www.openssl.org
>User Support Mailing List openssl-users@openssl.org
>Automated List Manager majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
