On 03/26/2014 02:45 PM, Jason Schultz wrote: > I’m trying to decipher FIPS 140-2 Certification in regards to OpenSSL > FIPS module 2.0 and have some questions: > > > 1. Can one claim FIPS validated if running on an Operating > Environment not listed on Cert #1747? (I don’t think not having an OE > direct match is necessarily required, as long as I follow the build > guidelines as defined in the Security Policy.)
As with so much in FIPS 140-2, it depends. Here the key issue is the meaning of "claim". To oversimplify a messy situation, the USG/DoD formal procurement policies that are the motivation for FIPS 140-2 validation, and the formal FIPS 140-2 scripture, allow for something called "user affirmation". See G.5 in the Implementation Guidance document: http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf Sounds good, right? Not so fast. You want a FIPS 140-2 validated module so you can sell your product to the USG/DoD market (FIPS validation is undesirable in any other context). That means you must satisfy your USG/DoD customer that your product is righteous, never mind what the formal policies might say. And in fact I hear from numerous clients that some customers refuse to accept user affirmation. So the best answer to this question is "ask your marketing/sales people what the real requirement is". You can rarely win an argument over interpretation of scripture, and the customer is always right. > 2. Related to #1, what if the build process is followed on an OE > listed on 1747, and the resulting FIPS and OpenSSL modules were moved to > an OE not listed (e.g. Linux 3.0)? Where the build occurs is essentially irrelevant. What matters is where the module is executed (the "Operational Environment"). > 3. If I cannot claim validation from #1, would I have to get my OE > fully certified or can I do a change letter through the OpenSSL group? It depends :-). If your marketing folks tell you that user affirmation suffices, run with it. If not then your next best option is to sponsor addition of your specific platform(s) of interest to the #1747 validation. That's how that validation has currently grown to 80 platforms, more than any other validation. > 4. What are the costs for a change letter? It depends :-). There are more potential factors and potential complications than I care to try and document here, but as a general rule of thumb an "uncomplicated" platform (for the peculiar FIPS 140-2 definition of platform) can usually be added for US$15K. > 5. Is there any way to see any change letters in the works already > for 1747 that just haven’t been added to the cert (e.g. Linux 3.0)? We don't publish lists of platforms in process for a number of reasons, in particular the fact that the final form of the name as it appears in the Security Policy and the CAVP and CMVP web sites is a surprisingly tricky issue. At present we have nine platforms ready (and waiting...) for testing with several more en route. None of them will be "Linux 3.0". -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
