On 12/12/2012 10:49 AM, bhagyalekshmi r wrote: > Hi Steve, > > Thank you very much for your time and response. Your reply gave me pretty > clear picture. I have one last question. I would like to know is there any > license related issue if I dont go for FIPS validation, but still use part > of openssl-fips-2.0.2 along with OpenSSL library. > > In other words, say I am using a specific crypto algorithm from > openssl-fips-2.0.2 along with OpenSSL library. Do I need to obtain a change > modification letter from OpenSSL or exsting license terms of OpenSSL will > hold good?
Well, you're dealing with two different concepts here. The FIPS module is available under the same permissive open source license as the rest of OpenSSL: http://openssl.org/source/license.html. That however is entirely separate from the issue of FIPS 140-2 validation. As clearly noted in the Security Policy the source distribution cannot be changed *at all* for validation certificate #1747 to remain applicable. That's what I meant by "you touch it, you own it". A minor source code change that does not affect the general functionality or any previously tested platforms (more than 50 now) could possibly be accommodated under the "change letter" process -- but remember any such changes have to make sense, or at least not impact, the general user community. We can extend and improve the FIPS module that way, but not customize it for specific purposes. Custom modifications to the FIPS module itself will require a new validation. You are free to use the source code, under the terms of the OpenSSL license, for that purpose but there is no avoiding the need for another validation. You can try to wade through that process yourself, or you can hire either OSF or a third party to pursue it for you. Figure on 9-12 months and $50K+ for that effort. Generally speaking you can freely modify OpenSSL and the intact FIPS module remains valid, though note that if you break the parts of OpenSSL designed for interfacing with the FIPS module you'll run into many problems. Any way you look at it you need really compelling reasons to chose that route; you will have not only the initial difficulty and expense of implementing custom modifications, but also the long term burden of supporting those customizations. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
