On 03/10/2015 08:20 AM, jonetsu wrote: > ... > Steve has replied that indeed the validation will be lost - I wonder > if that would have any impact on the total validation costs for a > whole unit, OS and apps ? You're talking about a Level 2 validation (or higher)? You most definitely do *not* want to include the OS or applications in the "cryptographic module boundary" for Level 1. > Would a non-modified FIPS OpenSSL library > reduce the validation costs ? I think you're going to be shocked at the cost (in time and money) to validate a hacked OpenSSL FIPS module, compared to using it as-is or a "change letter" update. That's because the CMVP has introduced a number of new requirements since the current FIPS module was validated (in 2012), and any new validation will now need to satisfy those. That means not only non-trivial code hacks unrelated to yours, but also a new paper shuffle for the "arm waving" (DTR) components of the validation process. The cost of the latter dwarfs the former; which is why we have not attempted a new validation ourselves. But, that cost could be dwarfed in turn by that of a Level 2 or 3 validation of a turnkey system including OS and apps. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
