On 08/30/2012 04:20 PM, Jason Todd wrote: > I'm sorry, I misread one of your earlier messages on the subject: > > "Normally recompilation would only be done by the > vendor of record (OSF for this validation), but for the OpenSSL FIPS > Object Module series of validations compilation from source is part of > the module installation process. " > > I was assuming that this somehow magically made me the vendor as well. > ...
The OpenSSL FIPS Object Module series are unique in being distributed in source code form and "installed" by compiling and linking. But, that doesn't make you the vendor. > But I can assert "user affirmation" for OSX? Well, the answer to that lies in the scripture, the I.G. (http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf). Read section G.5, in particular "Note 1". As I read it that seems to allow some significant latitude for "user affirmation". However, keep in mind that issues like "code path" remain relevant (see the User Guide, http://www.openssl.org/docs/fips/UserGuide-2.0.pdf). There isn't any clear detailed guidance on this topic, and you're unlikely to get any from the only authority that matters, the CMVP. So, you can assert it, just as Glendower can call spirits from the vasty deep. The question is whether your intended audience (customers, procurement officers, auditors) will be satisfied. We have found that our clients have widely varying comfort levels with such affirmations, driven in most case by marketing considerations (customer expectations). On 08/30/2012 04:28 PM, Jason Todd wrote: > Another confusing part, is that since you never release binaries. > Is it the organization's own internal testing that has to change > in order to approve "Vendor affirmed". "Vendor affirmed" is something that the vendor would do, and this vendor (OSF) has yet to vendor affirm anything. Why? Because for us to be comfortable doing so we would feel compelled to do almost as much work as we would for a "change letter" modification that would formally include the new platform in the validation. We don't want to be in the position of having to argue publicly with armchair quarterbacks about the validity of our affirmations, and remember that we had to deal with some very sustained criticism during the first validations. > And I apologize if these > are dumb questions, FIPS is like a house of mirrors where clowns > murder you if you blink. Heh ... a darker simile that the Alice in Wonderland comparison I use. FIPS 140-2 has its own strange logic that grates against every sensibility of the experienced software developer. I've been immersed in it for years and I still don't get some of the rationalizations. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org