On 12/02/2015 11:16 AM, Steve Marquess wrote: > If you don't know or care what FIPS 140-2 is, be very glad this isn't > your problem and turn your charitable attentions to some worthy > cause. > > The CMVP has introduced a new policy that will result in the > effective termination of many extant validations if they are not > updated by January 31 2016[1]. That update is a pure paper shuffle > -- adding politically correct verbiage to the Security Policy > document -- but without it the CMVP will "de-list" the validation. > > ... > > So if you're a corporate user of the OpenSSL FIPS Object Module >v2.0 validation(s) #1747/#2398/#2473, and want to continue using >it past January 31, please be aware we'll need someone to cover >that $1250 cost. > > Don't send any money to us; if you're interested in covering this > cost I'll put you directly in touch with the test lab to work out > specific payment arrangements. > > ... I'm getting private queries about this (why is there is such reluctance to discuss the delights of FIPS 140-2 in public?). To save some time here's an anonymous query I received, with my reply: >> ... We are thinking of using openssl FIPS in our product but >> haven't started the work yet. >> >> What will be the impacts to people like us who want to use the >> OpenSSL FIPS modules but haven't started yet? Should we still use >> the modules now or should we wait? > > Well, the #1747/#2398/#2473 validation is very widely used, so > while the CMVP may block our future FIPS related initiatives I don't > think they would dare kill those validations outright. Some > stakeholder will pay the cost to surmount this latest obstacle, in > fact we have had some contacts already. > > So I think you have safety in numbers if you decide to use that > module now, and should be good for the next year or two. Keep >in mind though that the long term future of the FIPS module is in >doubt, as the upcoming OpenSSL 1.1 release may not have any FIPS >support(at least initially). We're not going to try tackling a sixth new >open source based validation on an at-risk basis like we've done in >the past, as we think that risk is now too high. A new validation will > require a sponsor willing to absorb that risk and champion the new > validation within the government bureaucracy, and we have no such > current prospects. > >> Will there be any code changes in the modules and will there be >>new version of module (or will it be just the policy document >> updated)? > > It's just a paper shuffle with no real-world impacts for end users. -Steve M. -- Steve Marquess OpenSSL Software Foundation 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151202/034b0aa1/attachment.html>
