On 03/23/2015 02:36 PM, xxiao8 wrote: > The key issue still remains, are the validated SP800-90 DRBGs the _same_ > as SP800-90A's DRBGs? If yes then we can probably use Openssl-FIPS with > SP800-90A, otherwise OpenSSL-FIPS 2.0.9 probably can no longer be used > for any new validations? At the time that validation was obtained the four (at the time) DRBGs were specified by SP800-90. That document was subsequently reissued in several pieces; the current SP800-90A now contains the specifications for the three surviving DRBGs (the fatally tainted Dual EC DRBG having been removed from the formal standards and also from the OpenSSL FIPS Object Module). Now the code for the OpenSSL FIPS module can no longer be used as-is for new "private label" or copycat validations, but that's for different reasons and not because of the DRBGs. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
