A separate thread has dredged up some commentary on the OpenSSL based
FIPS validations:
...
> ... I've been involved in two FIPS validations of vendor versions
> of OpenSSL. I think one of them may have been one of the first ones
> ever done. I am aware of how much work you must have done to get
> things even into the state they are in today -- though I certainly
> didn't know it was unfunded.
Yes, that's a key point. The key point, actually. We have had some
funding, but the great bulk of that was spent on the test lab fees.
I haven't kept track of the uncompensated volunteer effort but it
easily totals to well over a man-year. Alas, much of that effort was
expended running in circles as we converged on a solution that would
satisfy the peculiar requirements of FIPS 140-2. In such
circumstances the major challenge was not to implement the *best*
solution, but to implement *a* working solution before time and money
ran out. We came very close to giving up at several points.
I want to point out that the original OpenSSL FIPS Object Module FIPS
140-2 validation was uniquely challenging, for all involved parties --
myself, the Open Source Software Institute, the OpenSSL team, the test
lab (DOMUS ITL), and the bureaucrats at the CMVP. That effort quickly
burned through the initial $85,000 in funding and dragged on for roughly
five years. It would have cost many hundreds of thousands more if the
OpenSSL and test lab work had been compensated at fair market rates.
This first validation (and to some extent subsequent source code based
validations) took so long because nothing like it had every been done
before. This validation was the first to utilize source code *and* the
first to allow static object module linking. To get there took all of
us on a long journey through and around formal policy and processes not
very attuned to software validations of any kind in the first place.
But, that experience is not representative of FIPS validations in
general. Now that the precedent has been well established a typical
*un*complicated single platform copycat or "private label" validation is
just a matter of a vendor writing a check for $30,000 or so (pretty
affordable as validations go). And waiting ... waiting ... waiting, of
course...
Please note that this situation will only hold true until sometime next
year, as the policy requirements will be changing and the current v1.2
validation will no longer be a rubber stamp template. No post-v1.2
validation is currently planned so there will no longer be a shared
model suitable as-is for direct use or as a basis for private label
validations.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org