I completely understand and appreciate your quick response :) For the time being, we'll stick with using the latest version of the 0.9.X series of OpenSSL.
Thanks again, James >---- Original Message ---- >From: Steve Marquess <marqu...@opensslfoundation.com> >To: openssl-users@openssl.org >Sent: Thu, Jul 29, 2010, 11:29 AM >Subject: Re: OpenSSL 1.0.0 FIPS module > >ja...@nixsecurity.org wrote: >> Hello, >> >> Aside from searching the net, I've learned that the FIPS module for >> OpenSSL 1.0.0 requires funding for the project and availability of the >> next FIPS revision (I think). I'm curious if there's an ETA on the >> module at all? I've also noticed that Redhat (Fedora) is pushing >> OpenSSL 1.0.0 with FIPS, I'm assuming they've either modified the FIPS >> module to be compatible with OpenSSL 1.0.0, they've obtained their own >> module by other means or some other method. >> >> Any information on this would be helpful. >> >> Thanks in advanced, >> James > >I'll have to speculate here as I've had no contact with Red Hat, but it >appears that they have obtained their own proprietary validation based >on OpenSSL >(http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1320). >This is a pretty common thing for proprietary software vendors to do, >and obtaining such a binary validation is much easier than for the open >source based ones (e.g. the OpenSSL FIPS Object Module v1.2, #1051). >I've been told by those in the know that the *majority* of all software >validations are based on OpenSSL. > >There is no schedule for a new open source based 1.0 compatible >validation because we have no funding. In fairness to the commercial >vendors like Red Hat, it isn't to their economic advantage to support a >validation that could be leveraged by their competitors. To those >vendors who do have validated crypto modules the FIPS 140-2 procurement >requirements are a marvelous advantage that lock out a lot of potential >competition, well worth the (significant) expense. > >Not such a good deal for the U.S. and Canadian taxpayers, as they >indirectly pay for many validations of essentially the same software, >but there is currently no one really representing that interest (the >previous validations did receive significant financial support from the >U.S. government and DoD, but that was all done on a one-off basis). > >-Steve M. > >-- >Steve Marquess >The OpenSSL Software Foundation, Inc. >1829 Mount Ephraim Road >Adamstown, MD 21710 >USA >+1 877-673-6775 >marqu...@opensslfoundation.com >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List openssl-users@openssl.org >Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
