This is an excellent explanation in plain English. Thank you! > On Apr 28, 2015, at 4:31 PM, Steve Marquess <marquess at openssl.com> wrote: > >> On 04/28/2015 03:44 PM, Sec_Aficionado wrote: >> Hi there, >> >> Total n00b question here. I recently ran across a question on an iOS >> forum where someone was building an app with FIPS 140-2 compliant >> communications. > > Note there really is no such thing as "FIPS 140-2 compliant" (though you > see that terms bandied around a lot and I'm guilty of doing so myself). > > The term of interest is "FISP 140-2 validated" (n.b.: that's "validated" > not "certified"). > >> Now, from reading here (mailing lists) about FIPS certification, it >> involves both the bits and the platform. So it would not be possible >> to create an app that is compliant on a platform that hasn't been >> certified. Is that a correct assumption? Or can I build a compliant >> app with just certified libraries? > > A Level 1 FIPS 140-2 validation (Level 1 being the most common and the > "easiest") applies to a thing called a "cryptographic module" in the > context of one of more "OEs" or "Operational Environments" (loosely > speaking, "platforms"). Note at Level 1 products are not validated, > operating systems are not validated, only "cryptographic modules" are > validated. > > Translated from FIPSspeak, for a software "module" that means a very > specific chunk of executable code running on a specific platform > (operating system and OS version and processor "architecture"). Move > that same code to another platform and it is no longer validated; the > validation is relative to the OEs or platforms. > > The only valid reason to use a FIPS 140-2 validated module is that you > must in order to sell your cryptography-using product to the USG or DoD. > For that market you (typically, if the procurement officer is paying > attention) have to use a validated cryptographic module on one of the > OEs specifically listed for that module validation. > > So for a software product there is no such thing as validation of the > product independent of the platform (OE) it runs on. > > A partial exception to that rule is "user affirmation" per I.G. G.5, but > while technically a legitimate means of satisfying FISP 140-2 validation > requirements that has limited practical value in the USG/DoD market. > > Note I'm only discussing Level 1 validations here; Levels 2 and up are > different. > > -Steve M. > > -- > Steve Marquess > OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877 673 6775 s/b > +1 301 874 2571 direct > marquess at opensslfoundation.com > marquess at openssl.com > gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
