Re: OpenSSL 3.0 and FIPS Update

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 14/02/2019 16:34, Jakob Bohm via openssl-users wrote:
> On 13/02/2019 20:12, Matt Caswell wrote:
>>
>> On 13/02/2019 17:32, Jakob Bohm via openssl-users wrote:
>>> On 13/02/2019 12:26, Matt Caswell wrote:
>>>> Please see my blog post for an OpenSSL 3.0 and FIPS Update:
>>>>
>>>> https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/
>>>>
>>>> Matt
>>> Given this announcement, a few questions arise:
>>>
>>> - How will a FIPS provider in the main tarball ensure compliance
>>>   with the strict code delivery and non-change requirements of the
>>>   CMVP (what was previously satisfied by distributing physical
>>>   copies of the FIPS canister source code, and sites compiling this
>>>   in a highly controlled environment to produce a golden canister)?
>> My understanding is that physical distribution is no longer a requirement.
> And the other things in that question?
> 
> Integrity of validated source code when other parts of the tarball
> get regular changes?
> 
> Building the validated source code in a controlled environment
> separate from the full tarball?

See the section of the Design document with the title "Detection of Changes
inside the FIPS Boundary". Basically there will be version controlled checksum
covering all of the validated source.

Yes - I do expect you to be able to build just the validated source
independently of the rest of the tarball so that you could (for example) run the
latest main OpenSSL version but with an older module.


Matt
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux