Re: OpenSSL 1.0.0 FIPS module
ja...@nixsecurity.org wrote: Hello, Aside from searching the net, I've learned that the FIPS module for OpenSSL 1.0.0 requires funding for the project and availability of the next FIPS revision (I think). I'm curious if there's an ETA on the module at all? I've also noticed that Redhat (Fedora) is pushing OpenSSL 1.0.0 with FIPS, I'm assuming they've either modified the FIPS module to be compatible with OpenSSL 1.0.0, they've obtained their own module by other means or some other method. Any information on this would be helpful. Thanks in advanced, James I'll have to speculate here as I've had no contact with Red Hat, but it appears that they have obtained their own proprietary validation based on OpenSSL (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1320). This is a pretty common thing for proprietary software vendors to do, and obtaining such a binary validation is much easier than for the open source based ones (e.g. the OpenSSL FIPS Object Module v1.2, #1051). I've been told by those in the know that the *majority* of all software validations are based on OpenSSL. There is no schedule for a new open source based 1.0 compatible validation because we have no funding. In fairness to the commercial vendors like Red Hat, it isn't to their economic advantage to support a validation that could be leveraged by their competitors. To those vendors who do have validated crypto modules the FIPS 140-2 procurement requirements are a marvelous advantage that lock out a lot of potential competition, well worth the (significant) expense. Not such a good deal for the U.S. and Canadian taxpayers, as they indirectly pay for many validations of essentially the same software, but there is currently no one really representing that interest (the previous validations did receive significant financial support from the U.S. government and DoD, but that was all done on a one-off basis). -Steve M. -- Steve Marquess The OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Re: OpenSSL 1.0.0 FIPS module
I completely understand and appreciate your quick response :) For the time being, we'll stick with using the latest version of the 0.9.X series of OpenSSL. Thanks again, James Original Message From: Steve Marquess marqu...@opensslfoundation.com To: openssl-users@openssl.org Sent: Thu, Jul 29, 2010, 11:29 AM Subject: Re: OpenSSL 1.0.0 FIPS module ja...@nixsecurity.org wrote: Hello, Aside from searching the net, I've learned that the FIPS module for OpenSSL 1.0.0 requires funding for the project and availability of the next FIPS revision (I think). I'm curious if there's an ETA on the module at all? I've also noticed that Redhat (Fedora) is pushing OpenSSL 1.0.0 with FIPS, I'm assuming they've either modified the FIPS module to be compatible with OpenSSL 1.0.0, they've obtained their own module by other means or some other method. Any information on this would be helpful. Thanks in advanced, James I'll have to speculate here as I've had no contact with Red Hat, but it appears that they have obtained their own proprietary validation based on OpenSSL (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1320). This is a pretty common thing for proprietary software vendors to do, and obtaining such a binary validation is much easier than for the open source based ones (e.g. the OpenSSL FIPS Object Module v1.2, #1051). I've been told by those in the know that the *majority* of all software validations are based on OpenSSL. There is no schedule for a new open source based 1.0 compatible validation because we have no funding. In fairness to the commercial vendors like Red Hat, it isn't to their economic advantage to support a validation that could be leveraged by their competitors. To those vendors who do have validated crypto modules the FIPS 140-2 procurement requirements are a marvelous advantage that lock out a lot of potential competition, well worth the (significant) expense. Not such a good deal for the U.S. and Canadian taxpayers, as they indirectly pay for many validations of essentially the same software, but there is currently no one really representing that interest (the previous validations did receive significant financial support from the U.S. government and DoD, but that was all done on a one-off basis). -Steve M. -- Steve Marquess The OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0 FIPS module
I think, perhaps, two different things are being confused here: 1) RedHat's use of the term OpenSSL Module v1.0 and 2) James' use of the term OpenSSL 1.0.0. Looking through RedHat's Security Policy and Certificate posted on NIST's site, it certainly looks to me that their OpenSSL Module v1.0 is based on OpenSSL 0.9.8. Geoff - Original Message From: Steve Marquess marqu...@opensslfoundation.com To: openssl-users@openssl.org Sent: Thu, July 29, 2010 9:36:19 AM Subject: Re: OpenSSL 1.0.0 FIPS module ja...@nixsecurity.org wrote: Hello, Aside from searching the net, I've learned that the FIPS module for OpenSSL 1.0.0 requires funding for the project and availability of the next FIPS revision (I think). I'm curious if there's an ETA on the module at all? I've also noticed that Redhat (Fedora) is pushing OpenSSL 1.0.0 with FIPS, I'm assuming they've either modified the FIPS module to be compatible with OpenSSL 1.0.0, they've obtained their own module by other means or some other method. Any information on this would be helpful. Thanks in advanced, James I'll have to speculate here as I've had no contact with Red Hat, but it appears that they have obtained their own proprietary validation based on OpenSSL (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1320). This is a pretty common thing for proprietary software vendors to do, and obtaining such a binary validation is much easier than for the open source based ones (e.g. the OpenSSL FIPS Object Module v1.2, #1051). I've been told by those in the know that the *majority* of all software validations are based on OpenSSL. There is no schedule for a new open source based 1.0 compatible validation because we have no funding. In fairness to the commercial vendors like Red Hat, it isn't to their economic advantage to support a validation that could be leveraged by their competitors. To those vendors who do have validated crypto modules the FIPS 140-2 procurement requirements are a marvelous advantage that lock out a lot of potential competition, well worth the (significant) expense. Not such a good deal for the U.S. and Canadian taxpayers, as they indirectly pay for many validations of essentially the same software, but there is currently no one really representing that interest (the previous validations did receive significant financial support from the U.S. government and DoD, but that was all done on a one-off basis). -Steve M. -- Steve Marquess The OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0 FIPS module
Without funding, there's zero progress, so it's an ETA of 'never'. RedHat uses a FIPS-validated version of their software-only PKCS11 provider. -Kyle H On 7/29/10 6:35 AM, ja...@nixsecurity.org wrote: Hello, Aside from searching the net, I've learned that the FIPS module for OpenSSL 1.0.0 requires funding for the project and availability of the next FIPS revision (I think). I'm curious if there's an ETA on the module at all? I've also noticed that Redhat (Fedora) is pushing OpenSSL 1.0.0 with FIPS, I'm assuming they've either modified the FIPS module to be compatible with OpenSSL 1.0.0, they've obtained their own module by other means or some other method. Any information on this would be helpful. Thanks in advanced, James __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org smime.p7s Description: S/MIME Cryptographic Signature