Another confusing part, is that since you never release binaries. Is it the organization's own internal testing that has to change in order to approve "Vendor affirmed". And I apologize if these are dumb questions, FIPS is like a house of mirrors where clowns murder you if you blink.
On Thu, Aug 30, 2012 at 4:20 PM, Jason Todd <ja...@bluntstick.com> wrote: > I'm sorry, I misread one of your earlier messages on the subject: > > "Normally recompilation would only be done by the > vendor of record (OSF for this validation), but for the OpenSSL FIPS > Object Module series of validations compilation from source is part of > the module installation process. " > > I was assuming that this somehow magically made me the vendor as well. But > I can assert "user affirmation" for OSX? > > > > > On Thu, Aug 30, 2012 at 4:02 PM, Steve Marquess < > marqu...@opensslfoundation.com> wrote: > >> On 08/30/2012 02:02 PM, Jason Todd wrote: >> > I understand that its not validated. But if I understand correctly, I >> > can claim "vendor affirmed" if I can build it with no modifications (and >> > at least the canister builds with no modifications). Is this correct? >> >> Only if you are the vendor. In the case of validation #1747 the vendor >> is the OpenSSL Software Foundation. >> >> You are thinking of "user affirmation" (I.G. G.5): >> >> http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf >> >> -Steve M. >> >> -- >> Steve Marquess >> OpenSSL Software Foundation, Inc. >> 1829 Mount Ephraim Road >> Adamstown, MD 21710 >> USA >> +1 877 673 6775 s/b >> +1 301 874 2571 direct >> marqu...@opensslfoundation.com >> marqu...@openssl.com >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > >
