Steve Marquess wrote: > On Tue 2006-04-11 18:09, Brad House wrote: >> >> -----Original Message----- >> From: [EMAIL PROTECTED] on behalf of Brad House >> Sent: Tue 2006-04-11 18:09 >> To: openssl-dev@openssl.org; [EMAIL PROTECTED] >> Subject: Re: OpenSSL FIPS 1.0 AIX using GCC patches >> >>> It is not only fips_canister.c which cannot be modified. *NOTHING* in the >>> fips-1.0 tarball can be modified without invalidating the certification. >>> There >>> is a published hash for that tarball in the security policy and it is >>> effectively frozen. >>> >>> The possibility of including minor non-cryptographic changes in a "fast >>> track" followup certification may exist. >> Ah, I thought it was only the files listed with HMAC-SHA-1 >> signatures/hashes in Appendix B of the OpenSSL Security Policy PDF: >> http://oss-institute.org/images/OpenSSL_SecurityPolicy_FINAL.pdf >> >> Obviously, I was assuming (hoping) too much there :) >> >> We may be willing to sponsor or help sponsor a followup certification >> depending on $$. > > Please get in touch with John Weathersby of OSSI, [EMAIL PROTECTED], > to ask about co-sponsoring the follow-on validation that is already > planned once sufficient funds are on hand. There is a largish fixed > cost component to any validation, the CMVP test lab fee, so it makes > sense to try to satisfy as many requirements as possible for each such > iteration, and spread that fixed cost among multiple sponsors. > > The next validation should take a lot less than 3-1/2 years...
Ok, thanks, I'll try to get a hold of him on Monday (when I get back into the office). Definitely makes sense to get in as many changes as possible because of the overhead involved (both cost and time). Hopefully we can provide assistance in both areas. Currently it's only preventing us from being able to use FIPS mode on SCO OpenServer and AIX (which for AIX, a workaround of using XLC is possible, we'd just need to purchase that from IBM), so we're not in a huge rush, so any co-sponsorship wouldn't have any 'strings' such as timelines, from us :) Since we derive great value from the existence of OpenSSL, we'd like to contribute what we can. Thanks for the contact info. -Brad ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
