I see. Still, the documentation sent to the lab would be helpful to the community to better understand/review the existing code. On Mon, Apr 6, 2015 at 5:44 PM, Steve Marquess <marquess at openssl.com> wrote: > On 04/06/2015 10:09 AM, Nicolae Rosia wrote: >> Is the documentation for the current validation available? Maybe >> someone can pick it up and work from there. > > It doesn't work that way. With FIPS 140-2 the software itself is never > the problem, it's everything else. > > The OpenSSL FIPS Object Module is entirely open source, but having the > source code does you no good when what you want is a software product > that satisfies the USG procurement requirements for FIPS 140-2 validated > cryptography. Remember that the challenge with FIPS 140-2 isn't to have > working code (you have that already with stock OpenSSL); it is to have > code (in a peculiar form, a "cryptographic module") that has been > officially blessed by an arcane and tedious bureaucratic process. > > That blessing (validation) is something that costs money, for accredited > test lab and CMVP fees, not to mention a substantial amount of labor. > > -Steve M. > > -- > Steve Marquess > OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877 673 6775 s/b > +1 301 874 2571 direct > marquess at opensslfoundation.com > marquess at openssl.com > gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
