On 12/14/2015 08:23 AM, Steve Marquess wrote: > On 12/02/2015 11:16 AM, Steve Marquess wrote: >> If you don't know or care what FIPS 140-2 is, be very glad this isn't >> your problem and turn your charitable attentions to some worthy cause. >> >> The CMVP has introduced a new policy that will result in the effective >> termination of many extant validations if they are not updated by >> January 31 2016[1]. That update is a pure paper shuffle -- adding >> politically correct verbiage to the Security Policy document -- but >> without it the CMVP will "de-list" the validation. The original OpenSSL >> FIPS Object Module validations (#1747, #2398, #2473) and all validations >> based on them -- which is a lot of validations -- are affected. >> >> I'll be doing the labor to prepare the revised Security Policy documents >> for all the validations that have been performed by OSF, both the well >> known open source based ones and also "private label" ones, and the test >> labs for some of those validations are also doing their part pro bono. >> However, the test lab we used for the original open source based >> validations (#1747, #2398, #2473) is charging $1250 for those three >> related validations of the same module. Note this is not unreasonable as >> these updates involve a non-trivial amount of work. >> >> ... > > I'm pleased to report that this $1250 cost to paper-shuffle the > #1747/#2398/#2473 validations has been covered, by Datagravity Inc. > Within minutes of hearing of the issue for the first time the the CEO, > Paula Long, not only had a check en route to the test lab but also sent > a scan of the check and envelope as a heads-up for the lab. > > ... Three companies answered this call to cover the cost of the "X9.31 RNG transition" paper shuffle. Datagravity (http://datagravity.com/) acted quickly and decisively, and the requisite paperwork has begun its journey through the bowels of the FIPS 140-2 bureaucracy. I would like to note that another company, Niksun (https://niksun.com/) also contacted the test lab to make arrangement for payment of that fee. If not for Datagravity beating them to the punch they would have been the benefactor for this very necessary action. The third company (not named here by request) was vigorously pursuing an in-house approvals process and would also have covered this effort. I thank all three for volunteering to bail out the entire community of OpenSSL FIPS module users. -Steve M. -- Steve Marquess OpenSSL Software Foundation 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
