Just as a short comment, our fips/non-fips usage could probably satisfy this requirement; we wrap openssl in an external api that routes through a function pointer table. Then at run-time we can fill in the function pointers with the fips functions or the non-fips functions depending on which mode is desired; it wouldn't take much modification to delay loading the fips function pointers until the POST is complete as long as the client code doesn't choke on a "not ready yet" return code.
--- Nou Dadoun ndad...@teradici.com 604-628-1215 -----Original Message----- From: Steve Marquess [mailto:marqu...@opensslfoundation.com] Sent: July 17, 2013 4:55 PM To: openssl-users@openssl.org Cc: Nou Dadoun Subject: Re: End of the line for OpenSSL Fips? On 07/16/2013 08:10 PM, Nou Dadoun wrote: > Since I hadn't looked for a while, I thought that I'd see where the > current Openssl FIPS work stood and found this: > http://www.opensslfoundation.com/fips/ig95.html > > Surprised that I hadn't heard about this previously but if I'm > reading it correctly, it seems to effectively kill any future Openssl > FIPS certifications although it appears that our current > certification remains valid. That is a definite possibility. At best any new validation would be very expensive even by the grim standards of previous OpenSSL FIPS Object Module validations. > Sorry if this has been discussed previously but is this the case? A > pointer to a previous discussion if one exists would be sufficient, > thanks ... N There has been no public discussion that I know of. There is a bit of turmoil in the FIPS 140-2 arena right now, about the I.G. 9.5 and other issues. We're sitting that out until we know the final outcome. In the meantime we're only doing "change letter" updates to the #1747 validation. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
