On 18/12/2015 19:58, Steve Marquess wrote: > On 12/18/2015 12:58 PM, jonetsu wrote: >> Fair enough (in this context). But what about the code itself, is it ready >> to be RSA 186-4 compliant ? > We think we know how to write the code that would be necessary, for FIPS > 186-4 and all the other new requirements, though you can never be sure > until *your* specific module has been formally validated. Given the > capriciousness of the FIPS 140-2 validation process, which I've > commented on frequently, the fact that someone else did something in > *their* validation doesn't necessarily mean a lot for *your* validation. > > But, without an open source based validation in which such code would > have any general utility, we see no point in writing FIPS specific code. > We're not in the business of doing speculative software development. > >> And, if we go through a validation, can OpenSSL benefit from it ? > By "we" do you mean some sort of proprietary commercial validation? > Those don't contribute at all to the availability of a no-cost open > source validated module; code is worthless (even "open source" code) for > the purposes of satisfying the USG/DoD FIPS 140-2 procurement > requirements if it hasn't been sprinkled with the magical pixie dust of > FIPS 140-2 validation. > > Writing the code isn't trivial, but that has never been the hard part... Maybe he is asking that if "they" contribute the code, could this ease the (non-bureaucratic) work that OpenSSL would need to do for that future "version 3" FIPS module? Enjoy and Merry Christmas Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
