On 12/18/2015 12:58 PM, jonetsu wrote: > Fair enough (in this context). But what about the code itself, is it ready > to be RSA 186-4 compliant ? We think we know how to write the code that would be necessary, for FIPS 186-4 and all the other new requirements, though you can never be sure until *your* specific module has been formally validated. Given the capriciousness of the FIPS 140-2 validation process, which I've commented on frequently, the fact that someone else did something in *their* validation doesn't necessarily mean a lot for *your* validation. But, without an open source based validation in which such code would have any general utility, we see no point in writing FIPS specific code. We're not in the business of doing speculative software development. > > And, if we go through a validation, can OpenSSL benefit from it ? By "we" do you mean some sort of proprietary commercial validation? Those don't contribute at all to the availability of a no-cost open source validated module; code is worthless (even "open source" code) for the purposes of satisfying the USG/DoD FIPS 140-2 procurement requirements if it hasn't been sprinkled with the magical pixie dust of FIPS 140-2 validation. Writing the code isn't trivial, but that has never been the hard part... -Steve M. -- Steve Marquess OpenSSL Software Foundation 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
