This is just a random little factoid for observers of the bizarre little world of FIPS 140-2 validations. It's well known to that community that validation outcomes are highly unpredictable. We've tried the "do very similar submissions at the same time and marvel at the wild discrepancies in outcome" experiment many times[*], but this one is particularly illuminating. On April 17 we submitted two validations that as identical as any two such submissions could possibly be (exact same cryptographic module and only one trivial cosmetic difference between the two Security Policy documents[**]). Approval of the "SE" submission took 69 calendar days (48 workdays); after 143 calendar days (99 work days) its identical twin is still unapproved. That's quite a variance (over 100%), and we don't even know how that story ends yet. It could take days, weeks, months longer and we won't have a clue until it suddenly appears on the NIST CMVP web site. -Steve M. [*] See for instance http://veridicalsystems.com/blog/the-fickleness-of-fips/ [**] That difference consists of six occurrences of "RE" in one versus "SE" for the other; do a "s/SE/RE/g" substitution to http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2398.pdf and you have the other validation. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
