On 12/12/2012 06:17 PM, John Corbin wrote: > Is there a document that lists the appropriate 800-56a standards the > OpenSSL FIPS module conforms to and for each applicable section listed in > the 800-56a standard as conforming, is there a listing for all statements > that are not "shall" (that is, "shall not", "should", and "should not")? If > the included functionality is indicated as "shall not" or "should not" in > the 800-56a standard, then is there a document providing rationale for why > this will not adversely affect the security policy implemented by the > OpenSSL FIPS module. Is any omission of functionality related to "shall" or > “should” statements described? > > I have looked at the document OpenSSL FIPS Object Module Version 2.0.2 and > looked at table 4a but did not find a detailed discussion on how it > satisfies the 800-56a standard.
There is no such document. We have already published what we can. In the course of that validation (#1747) we responded to many questions from the test lab about SP 800-56A, but that correspondence is strewn across many months. That test lab presumably has an internal analysis summary but if so it has not been made available to us or to the public. Note it is the function of the accredited test lab to perform a review of all aspects of FIPS 140-2, in particular the Derived Test Requirements, but the test lab is not obligated to release the details of such assessments, and in my experience none of them do. Those details are treated as a trade secret. The FIPS 140-2 validation process is not an open one; we've done what we could to open it up but there is much that the prospective vendor seeking a new independent validation must revisit. I will note that, to the extent I have been privy to details on that type of internal test lab analysis, different test labs often take very different approaches. So an analysis done by lab A may be of minimal use to lab B. The same basic OpenSSL FIPS Object code has now been validated many times by multiple test labs, so we know that there are one or more correct answers to every question that arises in the course of a validation, but those individual answers are not necessarily consistent from one validation to another. You'll need to work with your test lab to develop your own set of internally consistent answers. If you can get that lab to publish the details, please do :-) -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
