Brad House wrote:
As far as I am aware, the 1.1 tarball won't be released until validation is complete, and the 1.0 tarball has been removed because the validation has been temporarily 'suspended'.
Correct on both counts (current deployments based on 1.0 can remain in use). The release of 1.1 is further complicated by the recent signature forgery problem which will require the entire test suite drill to be repeated, which will mean further indeterminate delays.
That bug shows where the open source development model and the FIPS 140-2 validation process are not a good fit. The lead time for correcting and announcing problems in OpenSSL code is usually measured in days. The lead time for validating changes is measured in many months. Closed source proprietary vendors of course have an enormous incentive to skip the announcement step :-)
-Steve M. -- Steve Marquess Veridical Systems, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 301-524-9915 cell 301-831-8447 land/fax [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
