On 18/12/2015 19:58, Steve Marquess wrote:
On 12/18/2015 12:58 PM, jonetsu wrote:
Fair enough (in this context). But what about the code itself, is it ready
to be RSA 186-4 compliant ?
We think we know how to write the code that would be necessary, for FIPS
186-4 and all the other new requirements, though you can never be sure
until *your* specific module has been formally validated. Given the
capriciousness of the FIPS 140-2 validation process, which I've
commented on frequently, the fact that someone else did something in
*their* validation doesn't necessarily mean a lot for *your* validation.
But, without an open source based validation in which such code would
have any general utility, we see no point in writing FIPS specific code.
We're not in the business of doing speculative software development.
And, if we go through a validation, can OpenSSL benefit from it ?
By "we" do you mean some sort of proprietary commercial validation?
Those don't contribute at all to the availability of a no-cost open
source validated module; code is worthless (even "open source" code) for
the purposes of satisfying the USG/DoD FIPS 140-2 procurement
requirements if it hasn't been sprinkled with the magical pixie dust of
FIPS 140-2 validation.
Writing the code isn't trivial, but that has never been the hard part...
Maybe he is asking that if "they" contribute the code, could this
ease the (non-bureaucratic) work that OpenSSL would need to do for
that future "version 3" FIPS module?
Enjoy and Merry Christmas
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
