Kyle Hamilton wrote: > It's FIPS validation, not certification. (Not that I'm entirely sure > what the difference is, because when a validation is completed a > certificate is issued, but I've been corrected enough times by the > reps from the Open Source Software Institute that I don't dare call > it anything else. :))
...and that comes from the feedback I received from CMVP outsiders over five years or so that finally left me flinching whenever I heard the "C" word. There is a difference that was explained to me more than once but I'll confess it escapes me now. > > Note YOU MUST FOLLOW THE SECURITY POLICIES EXACTLY OR ELSE THE > RESULTING LIBRARY WILL NOT BE COMPLIANT. This includes shutting your > UNIX machine down to single-user mode during the build process. It > probably would not hurt to write down everything that you do in a > timestamped log so that you can prove that you have followed the > security policy. What he said -- and a good suggestion about the log. Though the "single user mode" restriction is intended to apply to runtime operation of the module, not necessarily just the module installation (creation). That restriction is in every validation that I've read for software on a general purpose computer. How can that be reconciled with the way such software is actually used? A good question, and one that I can't answer other than to note that the single user restriction is not unique to the OpenSSL FIPS Object Module; in years past I have pursued and been given multiple explanations, some quite elaborate, that I just don't get. -Steve M. -- Steve Marquess Open Source Software institute [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
