On 10/20/2013 08:29 AM, Oz, Tal (Tal) wrote: > Hi, > > I can see there is an important note that FIPS 1.2 is no longer valid in its > current form past 2010 (http://www.openssl.org/docs/fips/fipsnotes.html) > There is also a reference to SP 800-131. > >>From reading it, it looks like it should be ok to use it until 2015. > For example, the random number generator being used (X9.31) is valid till end > of 2015. > > Can anyone tell me why it is stated that FIPS 1.2 is not valid to use for > private validation ?
A "private label" validation is where the OpenSSL FIPS Object Module source code and documentation (which are publicly available at no cost) are used to obtain a separate private, or proprietary (not open) validation. This has been done quite a few times, sometimes using the software completely unmodified and sometimes with minor modifications. The requirements for a FIPS 140-2 validation change frequently, and unfortunately even retroactively (in that new requirements have been imposed on validations at any stage of the process, even past the point of the formal test report submission to the government). Those requirements have changed so substantially since the original #1051 validation was obtained that using that open source based validation as the basis for a new validation is no longer feasible. In addition, the #1051 OpenSSL FIPS module 1.2 is only compatible with OpenSSL 0.9.8. Any new development or validation work could more effectively and economically reference the newer #1747 validation (the 2.0 module) which is compatible with OpenSSL 1.0.1. Note the older 1.2 module itself (validation #1051) remains valid for currently deployed products. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct [email protected] [email protected] gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
