Jeffrey Altman wrote:
Steve:
Thank you for the answer.
Just fyi, I and Richard Levitte did spend time to get the code to work on Windows to the extent that was possible without an answer to the questions you have now answered.
One concern with your answer is that it appears to imply that FIPS certification can only be useful to applications which statically link in all libraries. Therefore, the openssl distributions which are shipped by Linux vendors in RPMs cannot be considered FIPS certified. Correct?
My understanding is that our security policy is that if you can show a chain of SHA-1 HMAC signatures from the certified source to whatever-it-is-you-are-running, then you are certified. We provide one mechanism to do that. You can provide others.
Note that the chain of signatures is _not_ intended to handle malicious intent. It is there to make it difficult to think you are certified when in fact you are not.
Cheers,
Ben.
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
