Re: FIPS change letter process

Mon, 21 Jul 2014 13:31:26 -0700 

On 07/21/2014 01:48 PM, Moffatt, Greg wrote:
> Greetings
> 
>  
> 
> We’re investigating on what’s required to add FIPS support to our product.
> 
>  
> 
> We’ve noticed that OpenSSL currently doesn’t support MIPS – specifically
> on Linux 3.10 kernels.
> 
>  
> 
> It’s not clear to me that the “Change Letter” process would be suitable
> for this.  In our investigation we can generate a FIPS module with only
> additions to the Configure script, without any other source changes
> required.
> 
>  
> 
> What would be the process to investigate this further and/or proceed
> with a “Change Letter” to add MIPS?

This is a common situation and the reason we're currently testing the
101st platform ("Operational Environment") for the #1747 validation.

The Security Policy, and caveat on the NIST CMVP web site, very
specifically state that "There shall be no additions, deletions or
alterations to the tar file contents as used during module build."

They mean that quite literally; no modifications no matter how trivial,
not even cosmetic or whitespace changes. So the Implementation Guidance
G.5 "user affirmation" isn't a viable option when such modifications are
necessary.

Such modifications -- for platform portability -- are generally allowed
in the context of a "change letter" update, which is why we're now
working on the eighth such revision.

For "uncomplicated" platforms our cost for adding that platform to the
#1747 validation is typically US$15,000 (sometimes less for current
clients or multiple platforms done at once). Anything running Linux
*probably* qualifies as "uncomplicated".

If you can afford to wait long enough there is always the chance that
someone else will sponsor the specific platform that you want.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to