On 01/30/2014 08:49 AM, Leon Brits wrote: > Steve, > > We are talking past each other - sorry for that but that is the way > people like me get to understand these things. > > First of we have not changed any code of the FIPS Object Module. We > simply do not use all of the algorithms based on requirements. The > application linking the libcrypto.so, enforce that only required and > allowed cryptographic calls is made to the Module. So, if I > understand you (or maybe again not), we must test everything in the > Module even if we do not use them? And this is why the new > directives will give me problems - right?
Hmmm. So you're obtaining your own private label validation. Since you're doing a validation from scratch, you have two options. One is to just remove the algorithms you don't want. The other is to keep the code as-is and designate the algorithms you don't want and don't plan to use as "non-Approved" (you'll still need to identify them though). > Background: We were hoping to use your certification of the > algorithms as part of our products validation. Using your > certificate numbers in our SP in section 2 for "Cryptographic > Functionality". That's known as "OEMing" certificates. If you look through extant validations (note Google indexes PDFs) you'll see more than a few proprietary validations that reference algorithm certificates from the #1747 validation. You'll need to use unmodified code from the #1747 validation (almost certainly; some labs are a little more flexible on some mods) and need an "OEM" certificate that matches that code and your platform. Then you'll still need to address the IG 9.10 issues at least, meaning code mods which (again depending on the lab) may well mean you can't OEM algorithm certs from #1747. If your only objective is to end up with a FIPS module that is functionally identical to the OpenSSL FIPS Object Module, for your platform(s) of interest, there is a much easier way. You can have your platform(s) added to the #1747 validation. That's how that validation came to have 80 platforms (with another dozen or so on the way) :-). Our rough cost for the "change letter" addition of a platform to #1747 is $15K and 2-3 months. Compare that to the cost and time for any type of new validation. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
