On 14/02/2019 16:34, Jakob Bohm via openssl-users wrote: > On 13/02/2019 20:12, Matt Caswell wrote: >> >> On 13/02/2019 17:32, Jakob Bohm via openssl-users wrote: >>> On 13/02/2019 12:26, Matt Caswell wrote: >>>> Please see my blog post for an OpenSSL 3.0 and FIPS Update: >>>> >>>> https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/ >>>> >>>> Matt >>> Given this announcement, a few questions arise: >>> >>> - How will a FIPS provider in the main tarball ensure compliance >>> with the strict code delivery and non-change requirements of the >>> CMVP (what was previously satisfied by distributing physical >>> copies of the FIPS canister source code, and sites compiling this >>> in a highly controlled environment to produce a golden canister)? >> My understanding is that physical distribution is no longer a requirement. > And the other things in that question? > > Integrity of validated source code when other parts of the tarball > get regular changes? > > Building the validated source code in a controlled environment > separate from the full tarball? See the section of the Design document with the title "Detection of Changes inside the FIPS Boundary". Basically there will be version controlled checksum covering all of the validated source. Yes - I do expect you to be able to build just the validated source independently of the rest of the tarball so that you could (for example) run the latest main OpenSSL version but with an older module. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users