On 03/24/2015 01:27 PM, jonetsu wrote: > > >> From: "Steve Marquess" <marquess at openssl.com> Date: 03/24/15 12:38 >> > > >> No, the OpenSSL FIPS module 2.0 code is no longer suitable (as of >> early 2014) for use as-is in doing copycat validations. Some >> non-trivial code hacks will be necessary. > >> We'll do a new open source based validation to succeed the 2.0 >> FIPS module (#1747 validation) at the first opportunity, but that >> opportunity has not yet presented itself. > > I still do not know that much about the validation in practical > terms. If our units go through validation, can this benefit OpenSSL > ? Not in the tiniest, unless you completely open source the entire thing as we did (specifically in a validation that includes the build-from-source part). A FIPS 140-2 validation is like magical pixie dust in that you and I can each take exactly the same source code and each build a binary FIPS module from it in exactly the same way, for exactly the same platform, and your module will be "validated" and mine won't (or vice-versa, depending on the pixe dust). > > Also, to go back to the SP 800-90 vs. SP 800-90A regarding the DRBGs, > do you know how would the OpenSSL SP 800-90 validation fare in a FIPS > testing lab since the Dual EC was removed and the other three were > not touched ? We "revalidate" the DRBGs every time we do a new "change letter" platform addition, which is frequently. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
