Technical Support wrote:
Steve
Could you explain what a private label validation is and its associated costs?
A "private label" validation is when a vendor takes the code from a
source code based validation (the most recent being #1051 for the
OpenSSL FIPS Object Module v1.2.2), builds a binary module, and then
obtains a separate FIPS 140-2 validation for that binary module. The
vendor invariably rebrands that module ("Acme Corp. Crypto Module 1.0"
or somesuch), hence the "private label" term.
Some vendors do this just for the marketing value of a vendor branded
crypto module; sometimes it is necessary as when a Level 2 validation is
needed. Many vendors also find the "pre-val" list (a list the CMVP
publishes of validation in process) useful in completing some government
procurement actions before the final validation is available, and
entering into a contract to perform a validation is a prerequisite for
appearing on that list.
Last year we (OSF) had the "private label" process streamlined to the
point of offering a US$30,000 validation package for two uncomplicated
platforms (see http://www.openssl.org/docs/fips/privatelabel.html).
This year the situation is more complex as there is (as yet) no source
code to copy, although I anticipate roughly comparable pricing.
-Steve M.
--
Steve Marquess
The OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
