If you don't know or care what FIPS 140-2 is, be very glad this isn't your problem and turn your charitable attentions to some worthy cause. The CMVP has introduced a new policy that will result in the effective termination of many extant validations if they are not updated by January 31 2016[1]. That update is a pure paper shuffle -- adding politically correct verbiage to the Security Policy document -- but without it the CMVP will "de-list" the validation. The original OpenSSL FIPS Object Module validations (#1747, #2398, #2473) and all validations based on them -- which is a lot of validations -- are affected. I'll be doing the labor to prepare the revised Security Policy documents for all the validations that have been performed by OSF, both the well known open source based ones and also "private label" ones, and the test labs for some of those validations are also doing their part pro bono. However, the test lab we used for the original open source based validations (#1747, #2398, #2473) is charging $1250 for those three related validations of the same module. Note this is not unreasonable as these updates involve a non-trivial amount of work. In years past that would be just another routine cost of doing business that we would absorb, as for instance we did earlier this year for the "ransom" of the "RE" validation[2]. However, 2015 has not been a good year for the open source based FIPS validation business; it has gone from economically marginal to unsustainable and as a result we'll probably be shutting down the corporate entity that does the FIPS validation work at the end of this year. I want to turn off the lights while that business is still (barely) in the black, and so have vowed not to take on any new expenses and will not be paying this $1250 out of those cash reserves, or out of my retirement savings. I also feel rather strongly that the FIPS related OpenSSL activities should not be subsidized out of donations or other general OpenSSL revenues. IMHO it's enough that I've worked on FIPS issues all this year with no income to show for it. So if you're a corporate user of the OpenSSL FIPS Object Module v2.0, validation(s) #1747/#2398/#2473, and want to continue using it past January 31, please be aware we'll need someone to cover that $1250 cost. Don't send any money to us; if you're interested in covering this cost I'll put you directly in touch with the test lab to work out specific payment arrangements. Thanks, -Steve M. [1] See "X9.31 RNG transition, December 31, 2015" at http://csrc.nist.gov/groups/STM/cmvp/notices.html [2] http://openssl.com/fips/ransom.html -- Steve Marquess OpenSSL Software Foundation 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
