On 15/03/2016 21:24, Satya Das wrote: > Even if a vendor letter is good for CMVP, how is the vendor supposed to know ? By remembering whether or not he followed the required procedure; it's the only way for him to know. > I would say openssl should give such a tool so that vendor and the testing Lab can know such things. It is more than critical that the applications link to the intended crypto module. You miss the point. It is no more or less critical that 'the application link to the intended crypto module' than countless other things. Many of the other things cannot be checked by running a tool. How would a tool check that the vendor had executed 'make' at the appropriate stage as opposed to (say) '/usr/bin/make'? How would a tool check that the vendor had got the original tar file from the OSF CD rather than by downloading it? > This convoluted and complex object module linking etc. with 207 page user guide is specific to openssl's approach to FIPS, and therefore should be addressed by the project. It should not come down to some vendor document written in good faith. How can it come down to anything else? What other possible means are there for a customer to know that an OpenSSL-based product is FIPS 140-2 validated? -- J. J. Farrell Not speaking for Oracle. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160315/9378caa8/attachment.html>
