Hi Steve, Thank you very much once again. We have plan for FIPS 140-2 validation at later point of time.
For a quick method to become NIST compliance, we wanted to use openssl-fips-2.0.2 along with OpenSSL library. Right now We dont want the full functionality of openssl-fips-2.0.2. We are looking for only certain crypto operations. Hence we are leveraging a partial code from openssl-fips-2.0.2. We had 2 concerns 1. Licensing and usage terms for openssl-fips-2.0.2 were not clear. Now you have cleared this doubt, thank you once again. 2. We were thinking FIPS certification is must for NIST compliance. Looks like they are separate. So I understand from your response, we can use openssl-fips-2.0.2 even if we are not going for FIPS 140-2 certification, but it can be NIST compliance Regards BR On Wed, Dec 12, 2012 at 9:44 PM, Steve Marquess < marqu...@opensslfoundation.com> wrote: > On 12/12/2012 10:49 AM, bhagyalekshmi r wrote: > > Hi Steve, > > > > Thank you very much for your time and response. Your reply gave me pretty > > clear picture. I have one last question. I would like to know is there > any > > license related issue if I dont go for FIPS validation, but still use > part > > of openssl-fips-2.0.2 along with OpenSSL library. > > > > In other words, say I am using a specific crypto algorithm from > > openssl-fips-2.0.2 along with OpenSSL library. Do I need to obtain a > change > > modification letter from OpenSSL or exsting license terms of OpenSSL will > > hold good? > > Well, you're dealing with two different concepts here. > > The FIPS module is available under the same permissive open source > license as the rest of OpenSSL: http://openssl.org/source/license.html. > > That however is entirely separate from the issue of FIPS 140-2 > validation. As clearly noted in the Security Policy the source > distribution cannot be changed *at all* for validation certificate #1747 > to remain applicable. That's what I meant by "you touch it, you own it". > > A minor source code change that does not affect the general > functionality or any previously tested platforms (more than 50 now) > could possibly be accommodated under the "change letter" process -- but > remember any such changes have to make sense, or at least not impact, > the general user community. We can extend and improve the FIPS module > that way, but not customize it for specific purposes. > > Custom modifications to the FIPS module itself will require a new > validation. You are free to use the source code, under the terms of the > OpenSSL license, for that purpose but there is no avoiding the need for > another validation. You can try to wade through that process yourself, > or you can hire either OSF or a third party to pursue it for you. Figure > on 9-12 months and $50K+ for that effort. > > Generally speaking you can freely modify OpenSSL and the intact FIPS > module remains valid, though note that if you break the parts of OpenSSL > designed for interfacing with the FIPS module you'll run into many > problems. Any way you look at it you need really compelling reasons to > chose that route; you will have not only the initial difficulty and > expense of implementing custom modifications, but also the long term > burden of supporting those customizations. > > -Steve M. > > -- > Steve Marquess > OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877 673 6775 s/b > +1 301 874 2571 direct > marqu...@opensslfoundation.com > marqu...@openssl.com >
