On 01/19/2016 01:41 PM, security veteran wrote: > Thanks Steve. > > So basically the idea is to allow companies build the OpenSSL with FIPS > modules in their product and ship only this version of OpenSSL to all > their customers. For the customers who don't need FIPS, then just simply > keep the FIPS mode disabled and then the OpenSSL will behave just like > there's no FIPS module exist. Is that correct? > > ... That is correct. After the #1747 validation was approved the CMVP introduced a new requirement that the POST be unconditional, which would conflict with that objective (to some extent anyway, by forcing the POST to even in the more common case where FIPS 140-2 was not desired). So that design objective will not be fully achievable in future validations. -Steve M. -- Steve Marquess OpenSSL Software Foundation 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
