On Tue 2006-04-11 18:09, Brad House wrote: > > > -----Original Message----- > From: [EMAIL PROTECTED] on behalf of Brad House > Sent: Tue 2006-04-11 18:09 > To: openssl-dev@openssl.org; [EMAIL PROTECTED] > Subject: Re: OpenSSL FIPS 1.0 AIX using GCC patches > > > It is not only fips_canister.c which cannot be modified. *NOTHING* in the > > fips-1.0 tarball can be modified without invalidating the certification. > > There > > is a published hash for that tarball in the security policy and it is > > effectively frozen. > > > > The possibility of including minor non-cryptographic changes in a "fast > > track" followup certification may exist. > > Ah, I thought it was only the files listed with HMAC-SHA-1 > signatures/hashes in Appendix B of the OpenSSL Security Policy PDF: > http://oss-institute.org/images/OpenSSL_SecurityPolicy_FINAL.pdf > > Obviously, I was assuming (hoping) too much there :) > > We may be willing to sponsor or help sponsor a followup certification > depending on $$.
Please get in touch with John Weathersby of OSSI, [EMAIL PROTECTED], to ask about co-sponsoring the follow-on validation that is already planned once sufficient funds are on hand. There is a largish fixed cost component to any validation, the CMVP test lab fee, so it makes sense to try to satisfy as many requirements as possible for each such iteration, and spread that fixed cost among multiple sponsors. The next validation should take a lot less than 3-1/2 years... -Steve M. -- Steve Marquess c/o Open Source Software Institute [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]