ut you
don't know what's actually needed until you get the new set of test
vectors (which of course cost money).
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 301 874 2571
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
s and support OpenSSL and the OpenSSL user
community at the same time; a win-win situation all around.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
20-22 Wenlock Road
London N1 7GU
United Kingdom
+44 1785508015
+1 301 874 2571 direct
marqu...@opensslfoundation.org
ste...@openss
ble for the long haul. We may also not have the resources to
tackle something that would otherwise be of interest (we have a back
catalog of nice-to-have cryptography waiting for a rainy day).
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
cumentation.
Even though most of us are not native English speakers, English is our
lingua franca.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http:/
_algv tests suite to have the algorithms validated
> (#3768) using this lab but I cannot see how to use it to "induce" and
> error in the FIPS module.
>
Look at what the "fips_test_suite" option of fips_algv does. That's also
discussed in the OpenSSL FIPS module user gu
he User Guide:
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
Test labs typically just run "fips_algv fips_test_suite" for the
functional testing, as it was designed for exactly that purpose.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
A
t are listed only for the
#1747 or #2473 validations which stop at revision 2.0.10, in which case
that's the newest FIPS module revision with the magical pixie dust of
FIPS righteousness, even though the latest revision (2.0.12)
functionally supports all platforms for all validations.
--
Steve Marqu
Hat FIPS module, not the OpenSSL one, so you'll
need to ask that vendor.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D18
ithm tests is a function of your requirements and is unique to each
validation. You'll need to consult with your accredited test lab.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu
sually you don't have to reprocess them all, though I
usually do given that it's easier to use fipsalgtest.pl on a full test
vector set than to manually manipulate individual request files. Note I
like to hang on to the test device until the CMVP formally approves the
related validatio
ion a lot easier, but you still have to use a test
lab. Yes, you have to pay the lab, but welcome to the wonderful world of
FIPS 140-2.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
de the conscious decision to not allow FIPS 140-2 to distort and
pervert OpenSSL even more than has already been the case. We'll do a
(relatively) clean and sane implementation for 1.1 if and when we can,
and nothing otherwise.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 M
tion for
FIPS 140-2 can be as simple as throwing in a FIPS_mode_set() call. With
a stock OpenSSL and hand-jammed FIPS module you'd need to manually vet
all application code; the stock OpenSSL won't let you know when your
application uses non-allowed cryptography.
-Steve M.
--
Steve Mar
st of that risk).
If and when a new FIPS module for 1.1 is developed, it almost certainly
will take the form of a new "engine" style modular component.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+
ng 1.1 releases.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
___
openssl-dev
latforms 103/104:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openss
ld be
modular so the FIPS module and OpenSSL releases would no longer be so
tightly coupled.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl
uld
also be unusable absent a matching FIPS 140-2 validation.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http://op
h provides just 1 bit
of entropy per byte. Again assume it is uniform (e.g. we don't get 8
bits of entropy in byte 1 and nothing in the next 7). Again lets have a
block size of 16 bytes. This time to get 256 bits of entropy the source
must provides it in a 256 byte buffer. An extra block is re
al agreements are in place). If it isn't
completely gone by the end of this year it will be renamed.
All contemporary references you see to the OpenSSL Software Foundation
are for the new non-profit Delaware entity. As Rich has noted we do need
to change mentions of the original entity, now co
anges yourself to your local copy of the code,
but you'll need to get that modified code validated to claim FIPS 140-2
validation. There is no reason to use the FIPS module code otherwise, so
the basic rule is you just have to live with whatever flaws or omissions
are present.
-Steve M.
-
list is for OpenSSL development issues, not for basic usage questions.
You might want to start with the OpenSSL FIPS User Guide:
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877
ased validation to succeed #1747.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp ke
lidation. Instead it will be the first revision of the
pending new "salvage edition" validation[**]. It will be the same
tarball as if we were allowed to update the #1747 validation directly,
though.
-Steve M.
[*] http://openssl.com/fips/hostage.html
[**] http://openssl.com/fips/ransom
;re working on the 101st platform
now). It's not free though; figure about US$15K which is either a
bargain (for commercial vendors relative to any alternatives) or cost
prohibitive (for the small business).
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
enSSL doesn't do better, faster,
more securely). A new validation will be necessary. You will find such a
validation a significant challenge even without the source code mods you
contemplate.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD
some sort of coherence.
In the meantime we greatly appreciate the patience and support shown by
so many of you in the OpenSSL community.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 di
.
In short, while your odds of actually being prosecuted are probably low,
it's damn hard to be a U.S. citizen and lawfully work on open source
cryptography.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 87
I would like to beg the indulgence of
the OpenSSL community for a bit longer.
- -Steve M.
- --
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
significant
changes like whole new APIs and infrastructure mods.
The "multiple people" could be a sufficiently large and diverse group of
serious and committed stakeholders, both OpenSSL team members and
others. Volunteers?
Of course, a process like that wouldn't necessarily prevent f
all the urgently necessary activities
are covered there isn't a lot of discretionary time left over. OpenSSL
hangs by a thinner thread than most people realize.
Since contributions are as likely to introduce problems or
vulnerabilities as code authored directly by the OpenSSL team, I think
you ca
On 03/26/2014 05:25 PM, Mark Hatle wrote:
> On 3/26/14, 2:41 PM, Steve Marquess wrote:
>> On 03/26/2014 12:30 PM, Mark Hatle wrote:
>>> Looking at the fips_canister.c I see that ia32 (32-bit and
>>> 64-bit) systems are not enabled ...
>>>
>>> W
e tarball entirely. Until then any
change to the tarball contents means (at best) a "change letter" update,
even something as trivial as a change to a comment.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673
disclosed. At present details
about validations are treated as state secrets, with the singular
exception of our open source based validations.
I think you will find that a number of other code modifications will
also be required. I'll be interested to learn what works for your
validation.
-S
fectively obsolete for many purposes.
For instance, it does not support TLS 1.2.
The OpenSSL FIPS Object Module 2.0, validation certificate #1747, should
be used for any new development and careful consideration should be
given to upgrading any FIPS 1.2/OpenSSL 0.9.8 based products to FIPS
2.0/OpenS
ml.
I see mention of the OpenSSL FIPS Object Module, so I'll have a crack at
responding if you'll resend in a text friendly format.
Also, the openssl-users list would be more appropriate for this kind of
query.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount
a development board. That's assuming the development board has
the same OS and processor as the production device of interest.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
mar
uch easier way. You can have your
platform(s) added to the #1747 validation. That's how that validation
came to have 80 platforms (with another dozen or so on the way) :-).
Our rough cost for the "change letter" addition of a platform to #1747
is $15K and 2-3 months. Compare that to the c
e have done multiple times) and end up with very
different answers and approaches to various requirements.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
ma
estvectors/OE46.results.tar.gz
You will find rather quickly that factors like SP800-131A, the
deprecation of Dual EC DRBG, and the I.G. 9.10 issue
(http://opensslfoundation.com/fips/ig95.html) mean that you can't use
these test vector formats and the OpenSSL FIPS Object Module
2.0,2.0.1,...,2
ave defined the
module boundary differently than was done for the OpenSSL FIPS Object
Module.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfo
sion is irrelevant to that FIPS
validation (OpenSSL proper is out of scope).
If you've gone to a test lab and obtained some sort of private
validation based on OpenSSL code, then you need to consult with that lab.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount
ht that all refers to 1.0.1 only
> without applying to any other version.
Ok. If there's a way we can improve that document I want to know. It's a
complex topic.
When OpenSSL 1.0.2 is released the User Guide will be updated to state
"1.0.1 and 1.0.2" as the current FIPS m
the standard
OpenSSL API. Any 1.0.1 release can be used for this purpose."
I thought that rather specifically excluded 1.0.0 along with all other
releases that aren't 1.0.1. Should that paragraph also state "Releases
other than 1.0.1 cannot be used for this purpose&quo
T and RODATA
segments of live memory and compared with the previously stored value.
That mechanism is of course also fully exposed in the source code:
http://www.openssl.org/source/openssl-fips-2.0.5.tar.gz
In particular look at fips.c, fips_premain.c, fipsld, and incore (for ELF).
-Steve M.
rocess.pdf
Keep in mind that the FIPS module is *not* the same as OpenSSL and that
I'm not qualified to give legal advice.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
m
. ...
You might want to look at the existing code for handling all required
FIPS 140-2 algorithm testing. See the FIPS module User Guide:
http://www.openssl.org/docs/fips/UserGuide-2.0.pdf
Appendix B.
That will be the easy part...
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1
ide:
> ./config -DOPENSSL_DRBG_DEFAULT_TYPE=NID_hmac_WithSHA256 \
> -DOPENSSL_DRBG_DEFAULT_FLAGS=0
Good catch, thanks. Fixed in revision to be posted soon.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301
n adding platforms like AIX to the #1747 validation we include
appropriate entries as necessary in the config and Configure files (such
additions are why the revision number increments: 2.0.1, ..., 2.0.5).
For some platforms (cross-compiled ones in particular) environment
variables are also used.
-S
t generated those files, but a technical requirement nonetheless.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
t generated those files, but a technical requirement nonetheless.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
__
for Andy but no more. So unless someone else can develop and
thoroughly test a solution PA-RISC is effectively an unsupported platform.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu..
for Andy but no more. So unless someone else can develop and
thoroughly test a solution PA-RISC is effectively an unsupported platform.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu..
private memory.
So each such process performs actions which modify that private memory
(such as enabling FIPS mode) entirely independently of other processes.
The same is true for static linking, of course, as each process has
separate copies of both readonly and writable code.
-Steve M.
--
Steve
seful to set my spellchecker to British English, as intuition
can be misleading.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 87
seful to set my spellchecker to British English, as intuition
can be misleading.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 87
give away for free. We have enough overhead expenses already
for our modest budget. We can and do work with commercial or government
sponsors that fund such expenses, but in this case I suspect money won't
be the deciding factor.
-Steve M.
--
Steve Marquess
OpenSSL Software Fo
discussion in the wiki might be useful (I
think someone made that suggestion already). Perhaps as we accumulate
enough content to bother linking to.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
book is nearly done and I have new content changes that
are needed.
So it's an experiment that may not work out.
> a question : Are you thinking to use "LyX" editor to produce Docbook ?
I'm too new at docbook to know yet. I'll start with a regular text editor.
-Steve M.
On 03/19/2013 04:59 PM, Matt Caswell wrote:
> On 19 March 2013 19:38, Steve Marquess wrote:
>> I took a quick look to see what utilities might be available to convert
>> between pod and mediawiki markup formats. "pod2markdown" (CPAN) is close
>> but not quite ther
e version controlled in
a collaborative setting. Now that there are several people contributing
content to that document the ODF format is very limiting, hence the
ongoing attempt to convert to docbook. That has turned out to be a bit
of a challenge but I'm still hoping to pull it off.
-Steve M.
on the smart way to manage
documentation that wants to be in all three formats I'd love to hear it.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673
bit intimidated to
> publish something on this prestigious wiki...
Now that made me laugh :-)
You're already contributed something with your thoughtful comments,
don'
is Wiki is another
complication we don't need right now.
There is some content already but new contributions are welcome. We'll
be wanting to add some more administrators ("sysops") too.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown,
et messy very
quickly. For better or worse OpenSSL is very widely used, for good as
well as evil, and the licensing situation is muddled enough as it is.
Personally I think the existence and unrestricted availability of
OpenSSL benefits the good far more than evil.
-Steve M.
--
Steve Marquess
Op
they are of no practical value today.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
__
ase don't use modified FIPS module source code, it buys you
absolutely nothing and costs you unnecessary complexity. Just use OpenSSL.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
U
you'll run into many
problems. Any way you look at it you need really compelling reasons to
chose that route; you will have not only the initial difficulty and
expense of implementing custom modifications, but also the long term
burden of supporting those customizations.
-Steve M.
--
Stev
ven further. The OpenSSL
libcrypto shared library is about 15 times larger and a better place to
look for size reduction opportunities. In general it will make more
sense to use the FIPS module as-is and reference just the specific
functionality you need.
-Steve M.
--
Steve Marquess
OpenSSL So
n posted to
openssl.org yet:
http://opensslfoundation.com/testing/validation-2.0/docs/UserGuide-2.0.pdf
The instructions are essentially the same as for the 1.2.x module.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
nssl-users list.
See http://www.openssl.org/docs/fips/UserGuide-2.0.pdf
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
__
on by
Testing Candidates". The "ExtraRandomBits" reference is inaccurate.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@ope
.4 on TI C64x+
>
> So, on the other hand there's no Mac OS X pending ?
Correct; to date we have had no sponsors interested in funding OS X for
the 2.0 validation. The 2.0 software supports that platform (thanks to
the Thursby sponsorship for 1.2.4) and it could still be added via a
duplicated (at the moment we're burning and printing them
one at a time).
So please expect some delays in receiving the CDs that have been requested.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 d
y updated and expanded for
the 2.0 module, and that document will be maintained in two separate
versions for the 1.2 and 2.0 modules:
http://www.openssl.org/docs/fips/UserGuide-1.2.pdf
http://www.openssl.org/docs/fips/UserGuide-2.0.pdf
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
L FIPS Object Module 2.0.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
__
ly
generated you are free to use it with any application, including an
OpenSSL shared library.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundati
On 03/06/2012 06:47 PM, William A. Rowe Jr. wrote:
> On 3/6/2012 8:43 AM, Steve Marquess wrote:
>> On 03/06/2012 08:49 AM, Vanden, Michelle CTR USAF AFMC AAC/EBYC wrote:
>>> Hello Steve,
>>>
>>> Will the new certificate support that is has been tested in a
to take a fairly
casual approach. Inquire about purchasing the WhizBang(tm) product from
SnakeOil Enterprises and I'll bet they neglect to caution you (for
instance) that the validation won't apply to your Core i5 system because
AES-NI wasn't included in the validation :-)
-Steve M
Windows 7 64bit on x86, SSE2 optimization
AES-NI optimization is not covered, so for instance the module cannot be
used with Windows on many Intel Core i5 processors.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s
The OpenSSL FIPS Object Module 2.0 is now in "coordination" status at
the CMVP. That's usually a good sign that the formal validation award
is imminent (as in "a week or three...").
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
d) instructions in the Security Policy from
unmodified source on a formally tested platform, or one "near enough" to
a formally tested platform, then the resulting module is validated.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamst
On 01/25/2012 10:00 PM, Thor Lancelot Simon wrote:
> On Wed, Jan 25, 2012 at 06:35:58PM -0500, Steve Marquess wrote:
>>
>> A rough rule of thumb is that if you create a FIPS module
>> (fipscanister.o) on a formally tested platform (O/S and processor as
>> listed in t
discussion. See in particular section G.5.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
and/or install Windows Security Essentials as that which does
not appear to trigger this problem.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...
/openssl-fips-2.0rc1.tar.gz
Note some additional cosmetic changes will be made prior to the formal
validation award.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu
happened before late February. We
don't even have the formal submission in yet, though I'm hoping to make
an announcement soon.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1
occur
infrequently enough that the temptation for scope creep -- knowing
another opportunity may not come along for years -- is overwhelming.
That's the main reason for the schedule slip.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
till not
painless and not free. I suspect that's your best option, contact me
directly if you'd like more details.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
s
it is being tested are encouraged to reference the
OpenSSL-fips-2_0-stable branch in the OpenSSL CVS repository.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@o
penssl-fips-2.0-test-20111013.tar.gz
and later) on their platforms of interest, and report any problems to
us. Build and test instructions are given in the ./README.FIPS file.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+
alls used to build the
usual OpenSSL libraries leads to continuing confusion. For the upcoming
2.0 module we will be releasing the OpenSSL FIPS Object Module source
code in a separate tarball (now available as
ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-2011MMDD.tar.gz
snaphots).
-Steve
uments/140-1/140sp/140sp1051.pdf) where
you will see the source code you must start with is uniquely identified.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com
of effort went
into designing the FIPS module to make that compatibility possible.
Note as a happy consequence that an existing application that uses
OpenSSL for all cryptography can usually be readily converted to use
FIPS validated cryptography.
-Steve M.
--
Steve Marquess
OpenSSL Software F
at any time, but this special
window of opportunity over the next few weeks will allow us to easily
correct reported problems.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD
d-coding the correct answers. By now we have encountered
quite a few of these test vector sets, but as they are interchangeable
there is no point in keeping more than a few representative samples.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD
marize:
1) Working but unvalidated code should be available within a month.
2) The formally validated module should be available by Q1 2012.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marqu...@opensslfoun
platforms will have to be deferred to a later "change letter"
modification process.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marqu...@opensslfoun
. The schedule for full implementation is still
under consideration.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com
__
O
s on a fixed fee
basis; that revenue goes to support the open source based validation and
the continued maintenance and development of OpenSSL.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marqu...@opensslfoundatio
1 - 100 of 170 matches
Mail list logo