(Non)status of OpenSSL FIPS Object Module v1.2 Validation

I haven't made any announcements for some time because there has been nothing to announce. We're still waiting. The last inquiries from the CMVP, which seemed fairly routine and minor, were all (I believe) satisfactorily responded to as of September 9. I have no indications that the CMVP is

OpenSSL FIPS Object Module v1.2 snapshots

Snapshots from the OpenSSL-fips-0_9_8-stable branch where development for FIPS 140-2 currently takes place are now being posted in the snapshot area, ftp://ftp.openssl.org/snapshot/. These will have names of the form openssl-0.9.8-fips-test-SNAP-MMDD.tar.gz

Re: OpenSSL FIPS Object Module v1.2

Kyle Hamilton wrote: > > I'll go out on a limb here and express my (certainly naive) > extrapolations/interpolations: > > Module Boundary: That which contains the entire deliverable that > implements the algorithms required by FIPS 140-2 and the glue to make > them accessible. (The physical strin

Re: OpenSSL FIPS Object Module v1.2

Hi, Steve M! I've been reading your replies as you write them, and I'd like to thank you for taking so much time and addressing my concerns. I must say, however, that I'm actually less confused (having read this one) than I was before. (replies inline) On Dec 12, 2007 5:38 AM, Steve Marquess <[

Re: OpenSSL FIPS Object Module v1.2

Kyle Hamilton wrote: On Dec 2, 2007 4:31 PM, Steve Marquess <[EMAIL PROTECTED]> wrote: .. c) I would like to know where to find the formal specification documents for what must be met in a module boundary, ... The module boundary is *the* key concept for FIPS 140-2. It is also a very el

Re: OpenSSL FIPS Object Module v1.2

Kyle Hamilton wrote: > > I'm trying to point out something that I perceive as an issue in the > organizational intelligence. > > .. > > To make plain the changes that I'd like to see, in order of my > perception of possibility/likelihood: > a) I would like to see the the addition of ability for

Re: OpenSSL FIPS Object Module v1.2

Kyle Hamilton wrote: > On Dec 2, 2007 4:31 PM, Steve Marquess <[EMAIL PROTECTED]> wrote: > >> Kyle Hamilton wrote: >> >>> I just want to have the opportunity to know that what is submitted >>> will actually run on the platform I must use. >>> >>> ... ... Kyle, you raise a number of good po

Re: OpenSSL FIPS Object Module v1.2

On Dec 2, 2007 4:31 PM, Steve Marquess <[EMAIL PROTECTED]> wrote: > Kyle Hamilton wrote: > > I just want to have the opportunity to know that what is submitted > > will actually run on the platform I must use. > > > You best approach is to report problems (or provide patches) for the > head of Ope

Re: OpenSSL FIPS Object Module v1.2

Kyle Hamilton wrote: > ... >>> Yes, that is understandable. Any code going through validation at that >>> time cannot be touched. I think what Kyle asked for was prior to the >>> next validation starting, a 2-week window where people could provide >>> patches. Basically a 'last-call', or at leas

Re: OpenSSL FIPS Object Module v1.2

>> However, I >> am honestly annoyed that there have been two validation cycles past >> without (still!) a working FIPS-validated module for the Intel Mac. > > What is this statement based on? Intel Mac support was added and tested > prior second submission. Though it's limited to 32 bits... Beca

Re: OpenSSL FIPS Object Module v1.2

> However, I > am honestly annoyed that there have been two validation cycles past > without (still!) a working FIPS-validated module for the Intel Mac. What is this statement based on? Intel Mac support was added and tested prior second submission. Though it's limited to 32 bits... Because 64-bi

Re: OpenSSL FIPS Object Module v1.2

On Nov 30, 2007 11:33 AM, Steve Marquess <[EMAIL PROTECTED]> wrote: > Brad House wrote: > >> Brad, sorry, I didn't mean to come across as negative. The point I was > >> trying to make is that once a validation starts I can't afford to delay > >> it to deal with problems that are discovered in the

Re: OpenSSL FIPS Object Module v1.2

Brad House wrote: >> Brad, sorry, I didn't mean to come across as negative. The point I was >> trying to make is that once a validation starts I can't afford to delay >> it to deal with problems that are discovered in the already frozen >> baseline, unless those problems are critical to the requir

Re: OpenSSL FIPS Object Module v1.2

On Fri, Nov 30, 2007, Brad House wrote: > > I didn't actually know a public CVS branch existed for 0.9.8 fips until > an e-mail last night. Is the only way to grab the current branch to > rsync the _entire_ openssl cvs repository then do a local checkout? > Are there any shapshots of that branch

Re: OpenSSL FIPS Object Module v1.2

> Brad, sorry, I didn't mean to come across as negative. The point I was > trying to make is that once a validation starts I can't afford to delay > it to deal with problems that are discovered in the already frozen > baseline, unless those problems are critical to the requirements of the > paying

Re: OpenSSL FIPS Object Module v1.2

Steve Marquess wrote: Brad House wrote: Ok, guys, let me point out a harsh reality here. As noted in an earlier comment, FIPS 140-2 validation doesn't mesh all that well with the open source world. ... We're a paying OSS member (or at least we were, not sure if we were invoiced for a renewal

Re: OpenSSL FIPS Object Module v1.2

Brad House wrote: Ok, guys, let me point out a harsh reality here. As noted in an earlier comment, FIPS 140-2 validation doesn't mesh all that well with the open source world. Validation testing is expensive. ... ... Anyone who wants to volunteer their time to help out, please drop me a line

Re: OpenSSL FIPS Object Module v1.2

> Ok, guys, let me point out a harsh reality here. As noted in an earlier > comment, FIPS 140-2 validation doesn't mesh all that well with the open > source world. > > Validation testing is expensive. The direct costs alone -- to pay the > test lab, for CMVP fees, for hardware and/or test lab tr

Re: OpenSSL FIPS Object Module v1.2

Brad House wrote: Ideally (in my view anyway), we'd have some sort of announcement as to where the FIPS code is being evaluated, then have a couple of weeks to a month to hammer at it before it's sent off to the (much more costly, and much more involved) CMVP validation. I like the idea of

Re: OpenSSL FIPS Object Module v1.2

Date: 30/11/2007 13:07 Subject: Re:

Re: OpenSSL FIPS Object Module v1.2

> Ideally (in my view anyway), we'd have some sort of announcement as to > where the FIPS code is being evaluated, then have a couple of weeks to > a month to hammer at it before it's sent off to the (much more costly, > and much more involved) CMVP validation. I like the idea of a peer review pe

Re: OpenSSL FIPS Object Module v1.2

themselves, and even if our input can't go into the current validation cycle it'll still be a lot easier to see what's going on. -Kyle H On Nov 29, 2007 5:59 PM, Steve Marquess <[EMAIL PROTECTED]> wrote: > > Kyle Hamilton wrote: > > > There is no available Open

Re: OpenSSL FIPS Object Module v1.2

Kyle Hamilton wrote: > The FIPS validation process is... odd. And not at all conducive to the > open-source development model. > There is a certain dissonance, for sure :-) > There is no available OpenSSL FIPS Object Module v1.2. Well, yes and no. Check out the OpenSSL-fips-

Re: OpenSSL FIPS Object Module v1.2

The FIPS validation process is... odd. And not at all conducive to the open-source development model. There is no available OpenSSL FIPS Object Module v1.2. Until it passes validation, anyway, at which point the openssl-fips-1.2.0.tar.gz file will be made available. I don't think the sour