fixed cost among multiple sponsors.
The next validation should take a lot less than 3-1/2 years...
-Steve M.
--
Steve Marquess
c/o Open Source Software Institute
[EMAIL PROTECTED]
__
OpenSSL Project
good fit. The lead time for
correcting and announcing problems in OpenSSL code is usually measured
in days. The lead time for validating changes is measured in many
months. Closed source proprietary vendors of course have an enormous
incentive to skip the announcement step :-)
-Steve M.
--
;vendor
affirmed" binary modules that can be made to order for application
vendors unable to wait for the source based product. We hope to be
announcing the details soon.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
__
8 based FIPS
Object Module for validation. This time around we will include MS
Windows, thanks to a generous corporate sponsor, but the number of
platforms we can test is severely constrained by available funding --
the test lab fees alone are several kilobucks a platform and they don't
of
validations in process, spaced a few months apart -- then problems found
in validation N could be addressed in validation N+1. But validations
are very expensive and our financial sponsorship is erratic so we
proceed as resources allow.
new validation will start from that point. While new problems may be
introduced with new development it's unlikely that any problems already
there will spontaneously disappear.
-Steve M.
--
Steve Marquess
Open Source Software institute
[EMAIL PROTECTED]
Steve Marquess wrote:
Brad House wrote:
Ok, guys, let me point out a harsh reality here. As noted in an
earlier comment, FIPS 140-2 validation doesn't mesh all that well
with the open source world. ...
We're a paying OSS member (or at least we were, not sure if we were
invo
hat the work is tedious, boring,
frustrating, and mind-bendingly surrealistic. There is a long "you're
kidding, right?" and "WTF?" learning curve...
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
_
OSSI directly with any
questions, I think we're pretty good at being responsive to those
contributors. And Steve Henson is responsive to everyone.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
__
ken on my part. I've had to deal with much
worse in other less public forums. I can tell you that this kind of
"frank exchange of views" does not play well everywhere, most
bureaucracies (not just the CMVP) have very different ways of working
and establishing consensus. So please please p
Kyle Hamilton wrote:
> On Dec 2, 2007 4:31 PM, Steve Marquess <[EMAIL PROTECTED]> wrote:
>
>> Kyle Hamilton wrote:
>>
>>> I just want to have the opportunity to know that what is submitted
>>> will actually run on the platform I must use.
>>
te your input, Steve M, and I appreciate
> the time that you have taken thus far to express what you've thus far
> been willing and able to. I basically seek to find a means by which
> we (the users) can contribute to something which is arguably the most
> important advanc
Kyle Hamilton wrote:
On Dec 2, 2007 4:31 PM, Steve Marquess <[EMAIL PROTECTED]> wrote:
..
c) I would like to know where to find the formal specification
documents for what must be met in a module boundary, ...
The module boundary is *the* key concept for FIPS 140-2. It is also a
pting a validated Module" then of course the
answer is no. But if you ask the equivalent question "must I take steps
to prevent such subversion such as not using calls to shared malloc
functions" then the answer is also no. LD_PRELOAD is one example of
many of ways to subvert
th the
command:
cvs -d [EMAIL PROTECTED]:/openssl-cvs co \
-r OpenSSL-fips-0_9_8-stable openssl
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
__
OpenSSL P
FIPS capable 0.9.8
OpenSSL. There is (will be) only one version of the former, while the
"FIPS capable" support will be carried forward in future 0.9.8 releases.
-Steve M.
--
Steve Marquess
Open Source Software institute
[EMAIL PROTECTED]
a non-SSE capable processor you'll have to use the no-asm version, sorry.
Contributions to defray validation test lab fees are always welcome.
-Steve M.
--
Steve Marquess
Open Source Software institute
[EMAIL PROTECTED]
__
ler optimizations. It is based on and compatible
with OpenSSL 0.9.7+.
I'm expecting two more validations for the 0.9.8+ based v1.2 Real Soon Now.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
r restriction is not unique to the
OpenSSL FIPS Object Module; in years past I have pursued and been given
multiple explanations, some quite elaborate, that I just don't get.
-Steve M.
--
Steve Marquess
Open Source Software institute
[EMAIL PROTECTED]
___
e clients."
That still doesn't make a lot of sense to me from a technical
perspective, but it does seem to say that validated modules can be used
on what we would consider multi-user, multi-tasking systems. Start
asking about threading, forking, multiple cores, etc., though, and you
start gett
Prashant Kumar wrote:
Hello All,
Where can I find the documentation for OpenSsl FIPS certification ?
Any help is appreciated.
See
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#918
and http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf.
-Steve M.
--
Steve
t code without violating the conditions of the
Security Policy.
The pending OpenSSL FIPS Object Module v1.2 will include some 64 bit
platforms. I've been expecting that validation Real Soon Now for weeks.
-Steve M.
--
Steve Marquess
Open Source So
r code first, *then* test -- ready,
fire, aim!).
Since there is little practical reason to disable FIPS mode once enabled
(reference earlier discussion) we elected to just leave that bug as-is
rather than abort and restart the validation process.
-Steve M.
--
Steve Marquess
Open Source Software I
lude them in
the v1.2 frozen code baseline for which the validation is still pending.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
__
OpenSSL Project http
IPS 140-2 validation I've participated in took about three
months, the longest over five years. So my current prediction is that
this validation will be awarded no later than April 2013. About the
time OpenSSL 1.6 is released :-)
-Steve M.
--
Steve Marquess
Open Source Softw
anticipate revisions over the next few weeks.
Feedback on errors/omissions/improvements will be greatly appreciated.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
__
OpenSSL Project
kle
a reinstall and another revalidation. I'll gladly incorporate any
contributed feedback into the User Guide, but until/if another paying
client needs Microsoft specific support I won't be doing any hands-on
work with Windows.
-Steve M.
--
Steve Marquess
Veridical Systems, Inc.
182
Well, as with most such initiatives the FIPS validation program was
initiated with the best of intentions and IMHO in the beginning served a
useful purpose. Other that that, no comment :-)
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
anned
due to lack of any financial sponsors for the significant cash outlays
required. We want the "fips" option to work properly in 0.9.8j+, but
IMHO failure of "fipscanisterbuild" is a bug worthy of note but not
necessarily of prompt correction.
-Steve M.
--
Steve Marquess
Op
compatible") versions of OpenSSL,
so as to leverage the advantages of the high level API of the latter,
but it is a separate and distinct product. See the User Guide
(http://www.openssl.org/docs/fips/UserGuide-1.2.pdf) for more details.
-Steve M.
--
Steve Marquess
Veridical Systems, Inc.
epresenting vendors for
validations) am not even allowed to see, much of the rest I'm not
allowed to reveal under non-disclosure restrictions.
-Steve M.
--
Steve Marquess
Veridical Systems, Inc.
marqu...@veridicalsystems.com
__
led where all crypto operations are
performed in the validated fipscanister.o. This behavior was an
important design goal because it allows software vendors to ship one
binary to all customers.
-Steve M.
--
Steve Marquess
Veridical Systems, Inc.
marqu...@veridicalsystems.com
Steve Marquess wrote:
> canroc wrote:
>
>> I am confused with what is required in builiding an application to use
>> encryption functions from a FIPS 140-2 capable openSSL library.
>>
>> If I link the shared library libcrypto.so (0.9.8j) into my application and
>
atever technique you're using
there won't work for fipscanister.o, which is what you need in order to
enable FIPS mode. Statically linking fipscanister.o into an application
executable requires the special link-execute-link as done by the fipsld
utility, in order to generate the embed
ts, so please feel free to ask.
-Steve M.
--
Steve Marquess
The OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com
__
OpenSSL Project
Steve Marquess wrote:
Mark Phalan wrote: ...
> Due to the way the FIPS Capable OpenSSL is built it ends up with
> older implementations of ciphers (all the ones that fipscanister.o
> implements). These cipher implementations are used regardless of
> being in FIPS mode or not.
at even the existing v1.2 module will no longer be
compliant. The commercial vendors who have been obtaining "private
label" validations based on v1.2 will find that those validations will
no longer be rubber stamp formalities as is the case today.
-Steve M.
--
Steve Mar
butions of that sort. So what is currently a community
resource will gradually revert back to a roll-your-own situation, same
as it was before the first open source based validation.
-Steve M.
--
Steve Marquess
The OpenSSL Software Foundation, Inc.
1829 Mou
Thor Lancelot Simon wrote:
On Thu, Sep 10, 2009 at 06:10:27PM +0200, Dr. Stephen Henson wrote:
> On Wed, Sep 09, 2009, Thor Lancelot Simon wrote:
>
>> On Sat, Aug 29, 2009 at 05:34:04PM -0400, Steve Marquess wrote:
>>
>> That this wasn't the obvious approach from
Steve Marquess wrote:
Thor Lancelot Simon wrote:
On Thu, Sep 10, 2009 at 06:10:27PM +0200, Dr. Stephen Henson wrote:
> On Wed, Sep 09, 2009, Thor Lancelot Simon wrote:
>
>> On Sat, Aug 29, 2009 at 05:34:04PM -0400, Steve Marquess wrote:
>>
>> That this wasn't the o
is for private label
validations.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com
__
OpenSSL Project
f 2010
the current v1.2 code will need very substantial modification for new
validations.
-Steve M.
--
Steve Marquess
The OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marqu.
nd not the future SHA-3.
-Steve M.
--
Steve Marquess
Open Source Software institute
marqu...@oss-institute.org
__
OpenSSL Project http://www.openssl.org
Development Ma
43 matches
Mail list logo
