On 12/02/2015 11:16 AM, Steve Marquess wrote: > If you don't know or care what FIPS 140-2 is, be very glad this isn't > your problem and turn your charitable attentions to some worthy cause. > > The CMVP has introduced a new policy that will result in the effective > termination of many extant validations if they are not updated by > January 31 2016[1]. That update is a pure paper shuffle -- adding > politically correct verbiage to the Security Policy document -- but > without it the CMVP will "de-list" the validation. The original OpenSSL > FIPS Object Module validations (#1747, #2398, #2473) and all validations > based on them -- which is a lot of validations -- are affected. > > I'll be doing the labor to prepare the revised Security Policy documents > for all the validations that have been performed by OSF, both the well > known open source based ones and also "private label" ones, and the test > labs for some of those validations are also doing their part pro bono. > However, the test lab we used for the original open source based > validations (#1747, #2398, #2473) is charging $1250 for those three > related validations of the same module. Note this is not unreasonable as > these updates involve a non-trivial amount of work. > > ... I'm pleased to report that this $1250 cost to paper-shuffle the #1747/#2398/#2473 validations has been covered, by Datagravity Inc. Within minutes of hearing of the issue for the first time the the CEO, Paula Long, not only had a check en route to the test lab but also sent a scan of the check and envelope as a heads-up for the lab. It's refreshing to encounter a company, and not a tiny one at that, which can complete the see-decide-act cycle in Internet time, when others would just be warming up for a days or weeks long odyssey through the bowels of an in-house corporate bureaucratic process. In covering this cost Datagravity has not only addressed direct impacts to their business from the threatened de-listing, but has also bailed out the hundreds of commercial vendors and government agencies using those validations. Note it is still possible that those validations may still be briefly de-listed, as the paperwork hasn't been submitted yet. Hopefully that will happen this week, but the CMVP backlog for acting on such submissions is typically several months and the deadline for de-listing is only six weeks away during a time of year when the CMVP tends to move at less than breakneck speed. I do not know for sure that they will defer that when the requisite paperwork is sitting unreviewed in their inbox. -Steve M. -- Steve Marquess OpenSSL Software Foundation 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
