On 08/19/2016 12:43 PM, jonetsu wrote: > Hello, > > We are using FOM 2.0.9 for an embedded product that will go for FIPS > validation. Validation of the full product, that is. All > development so far is with 2.0.9. What would be the reasons, if any, > to update to 2.0.12 before going to the lab ? > > Thanks - comments much appreciated. > > > No reason at all, if 2.0.9 works for you as-is and you're getting your own validation. Unlike the usual case for software, where continual improvements and bugfixes are routinely implemented, we're not allowed to do bugfixes or refinements (not even security vulnerability mitigations) for validated modules. So later revisions of the OpenSSL FIPS Object Module are not "better" in any meaningful way as you'd normally assume. The only difference between revisions[*] is the addition of platform specific portability mods. As part of the validation process we have to demonstrate that the revision mods can't have any effect on any previously tested platforms. On the other hand, since there are no substantive differences between 2.0.9 and 2.0.13, and since you're apparently going to the expense and trouble of obtaining a copycat validation, there's no reason for you *not* to use 2.0.13. That way you'd potentially have coverage for more platforms. -Steve M. [*] Removal of Dual EC DRBG -- arguably a vulnerability mitigation -- at revisions 2.0.6 and 2.0.8 is a singular exception to that rule. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
