Re: Comments on the recent OpenSSL 3.0.0 specification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



(Resend from correct account)

On 15/02/2019 18:35, Salz, Rich via openssl-users wrote:
(as for "possibly not the FIPS provider", that's exactly right. That
one *will* be a loadable module and nothing else, and will only be
validated as such... meaning that noone can stop you from hacking
around and have it linked in statically, but that would make it
invalid re FIPS)
To be pedantic: this is true only *if you are using the OpenSSL validation.* If you are getting your own validation (such as using OpenSSL in an HSM device or whatnot), this is not true.
> - If permitted by the CMVP rules, allow an option for
> application provided (additional) entropy input to the RNG
> from outside the module boundary.
This is allowed, but it does not count toward the "minimum entropy" requirements. Anything after the first seeding falls into that category.


Thanks, the document wording made it look like the OpenSSL 3 FIPS RNG would
only accept the system entropy source.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux