In message <[EMAIL PROTECTED]> on Fri, 14 May 2004 07:29:51 -0400, "Marquess, Steve Mr JMLFDC" <[EMAIL PROTECTED]> said:
Steve.Marquess> Richard Levitte wrote: Steve.Marquess> Steve.Marquess> >jaltman> One concern with your answer is that it Steve.Marquess> >jaltman> appears to imply that FIPS certification can Steve.Marquess> >jaltman> only be useful to applications which Steve.Marquess> >jaltman> statically link in all libraries. Steve.Marquess> >jaltman> Therefore, the openssl distributions which Steve.Marquess> >jaltman> are shipped by Linux vendors in RPMs cannot Steve.Marquess> >jaltman> be considered FIPS certified. Correct? Steve.Marquess> > Steve.Marquess> >The consequence would be that if OpenSSL is Steve.Marquess> >configured with "fips", it should be considered to be Steve.Marquess> >configure without "shared", regardless of the Steve.Marquess> >arguments given by the person building/script. Would Steve.Marquess> >that be regarded as a viable solution? Steve.Marquess> Steve.Marquess> It would, but there is a complication. Our mechanism Steve.Marquess> doesn't preclude use of shared libraries per se. In Steve.Marquess> the special case where the path to the shared library Steve.Marquess> is known (so the *.sha1 file could be located), the Steve.Marquess> FIPS_mode_set() integrity check will still work. This Steve.Marquess> would be the case where an application loaded the Steve.Marquess> shared library by explicit pathname, as with dlopen(). Steve.Marquess> Graeme Perrow posted to the users list his desire to Steve.Marquess> use such an explicitly loaded shared library, and I Steve.Marquess> have modified the Security Policy document Steve.Marquess> accordingly. It has not been reviewed and approved by Steve.Marquess> NIST but based on verbal discussions I think it will Steve.Marquess> be. So lets see, would libcrypto.so and libssl.so be considered FIPS certified or not? Right now, I can't really say... Things like "Catch 22" come to mind... ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte \ Tunnlandsvägen 52 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-708-26 53 44 \ SWEDEN \ Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
