On 07/18/2013 10:17 PM, Thomas J. Hruska wrote: > ... > I'm not seeing anywhere in the Q&A where it might suggest how much > funding would be required to meet the financial goals of upgrading > OpenSSL FIPS. Based on the "as low as" private label price tag of > $35,000 located elsewhere on the site, I'll assume "not cheap".
Heh. For anything FIPS 140-2 that *is* cheap. Note that we are currently no longer doing those "private label" validations, and if we ever do so again I doubt they will ever again be that inexpensive. > But > even a ballpark figure would be helpful for those organizations that > might be willing to sponsor the effort. Well, we don't know as the final requirements aren't known. But figure at *least* US$250K. Note there will probably be more new obstacles than just this I.G. 9.5 issue. The CMVP is circulating a draft I.G. revision that would have the more or less direct effect of banning OpenSSL FIPS Object Module style validations outright (whether that is the conscious intent or not). I understand that proposed revision is still under active consideration, but regardless of the outcome of that or any other specific issue the risk of encountering new requirements well into a validation effort is considerable. These open source validations have not been money makers for us; we're losing less money each time but my enthusiasm at least for tilting at that windmill is diminishing. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
