Kyle Hamilton wrote:
As has been mentioned numerous times by Steve Marquess, the FIPS validation process is fraught with peril. It is entirely, from what I gather, rather like playing Chutes & Ladders with a constantly-changing board.
I have been holding off on making any announcements regarding v1.1.2, hoping to have something definitive to report. But every time we think we might know what's happening the situation changes. At present, it appears the time-line for (re)validation of v1.1.2 is an uncertain as ever. The review questions we're getting from the CMVP for this "fast track" validation imply they will require additional changes to meet new requirements not in effect when the original validation was awarded. That work would have to occur at the expense of the v1.2 validation, should we elect to make that painful trade-off. With the #733 validation effectively revoked for over a month it seems to me that much of the damage has already been done; many or most of those vendors and users impacted by that revocation have probably already been forced to pursue other alternatives to waiting for the approval of the vulnerability patch.
Currently, we are weighing our options to determine how to best use our resources to provide the greatest benefit through these validation efforts. We'd also like to acknowledge the continued commitment of DOMUS, the IT security lab for this project, and representatives from the development and vendor communities who have continued give so much of their time and resources to this effort.
There cannot be any effective estimate of when it may be done; the best estimate is equally likely to be 'next month' as it is to be '2018'..
Kyle's answer is as good as any I could give. -Steve M. -- Steve Marquess Open Source Software Institute [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
