On 30/09/2015 15:34, Steve Marquess wrote: > On 09/30/2015 09:18 AM, Jakob Bohm wrote: >> ... >> >> Under the new "contribution agreement" scheme, publishing such items >> early would also make them available to users ... > Publishing by someone else is fine, go for it. It would be nice to have > someone else publish FIPS module code, or validation information of any > kind for that matter. I think the validation process would be a lot less > capricious with less of the secrecy that is the current norm. Point is that the contribution agreement contains a bug, whereby anything not published by the OpenSSL Foundation in the UK is not licensed to anyone. Having a publication procedure for things marked "This does NOT work in its current form, but we are giving you a license" works around that bug to the benefit of anyone recovering the project similar to how the original Australian project (SSLeay) was recovered by Dr. Henson in the UK as OpenSSL. > Anything we (OpenSSL) publish carries with it an implied support > obligation, and that's the key problem with FIPS specific code: it can't > be "verified" in any meaningful sense other than with an official formal > FIPS 140-2 validation. The FIPS 140-2 requirements are more metaphysical > and ideological than technical, and what's worse those requirements are > applied very subjectively. By that I mean that on multiple occasions > I've had the experience of taking very similar or even precisely > identical code through parallel validations, with different end results. > > The presence of FIPS specific code in an OpenSSL repo would imply some > sort of suitability for use with FIPS validations. No matter how many > disclaimers and caveats we attached to that, there would still be > vendors trying to use it to obtain validations and encountering > problems. Guess who they're gonna call? > > That problem is avoided if we obtain an open source based validation -- > one where the module is distributed in source code form -- that has been > successfully validated. That validation then speaks for itself. > >>> ... >>> We also have plans for a significant rewrite of the FIPS module >>> from its current form, and it's unlikely any third party submissions >>> would fit that vision. >> Interesting, I wonder if those plans include my previously >> posted ideas: >> ... > There are some issues with those ideas, but now is not the time to get > into details. We'll worry about it if and when we have an opportunity to > do a new open source based validation. Agreed, just making sure they were posted somewhere you could find them when the time comes. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150930/d440ee0e/attachment.html>
