On 01/28/2015 08:31 AM, jonetsu at teksavvy.com wrote: > ... > >> We have not done any validations that satisfy the various new >> requirements introduced in late 2013 and early 2014. New validations >> are very expensive, in dollars, time, and grief, and we don't have the >> necessary financial backing. > > Something I don't understand. Does validation prevent any software > development ? Eg. why not develop a newer version that is not > validated (until further notice) but will include for instance the > automatic library load that would perform transparently all the FIPS > checks ? > > ... Why should we? Frankly the FIPS 140-2 stuff is of interest to only a small portion of the overall OpenSSL user base: basically just those commercial vendors who sell to the U.S. government market. The FIPS validated software itself is necessarily inferior to the stock OpenSSL by any "real world" metric (security, performance, maintainability and usability), and so has no value for the rest of the world or the private sector in the U.S. The fully validated module (OpenSSL FIPS Object Module) is at least of use to all those commercial vendors selling to the USG and DoD; speculative code that would make it easier for vendors like you to pursue private proprietary validations would be of interest to a far smaller subset. We have enough demands on our limited resources as it is to expend them on such a limited constituency. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
