I’m trying to decipher FIPS 140-2 Certification in regards to OpenSSL FIPS module 2.0 and have some questions:
1. Can one claim FIPS validated if running on an Operating Environment not listed on Cert #1747? (I don’t think not having an OE direct match is necessarily required, as long as I follow the build guidelines as defined in the Security Policy.) 2. Related to #1, what if the build process is followed on an OE listed on 1747, and the resulting FIPS and OpenSSL modules were moved to an OE not listed (e.g. Linux 3.0)? 3. If I cannot claim validation from #1, would I have to get my OE fully certified or can I do a change letter through the OpenSSL group? 4. What are the costs for a change letter? 5. Is there any way to see any change letters in the works already for 1747 that just haven’t been added to the cert (e.g. Linux 3.0)? Thanks in advance.
