Chris Brook wrote: > Item #2: typically FIPS-140 certified code is delivered as a binary, > tested by a lab and checked at both source and binary level, so the > opportunity to modify is not there (DAC test will fail). With > OpenSSL source that's not the case unless the developer of the > product (who creates the binaries) gets it checked/certified by a lab > as part of their product. Obviously if I lie and say my product is > certified and it's not, I can but that's pretty stupid since the > product will be listed on NIST's site as certified if it is. Will > NIST list the OpenSSL crypto library on their site?
Since this is clearly a critical issue, I hope you'll be patient while we agree words that explain how this works and how it fits with FIPS certification. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]