On 27/02/2019 20:59, Salz, Rich via openssl-users wrote:
If you change a single line of code or do not build it EXACTLY as documented, you cannot claim to use the OpenSSL validation.
I believe the context here is one I also mentioned in my comment on the 3.0 draft spec: - OpenSSL FIPS Module provides FIPS validated software implementations of all/most of the permitted algorithms. - Engine provides FIPS validated (hardware?) implementations of one or more implementations, under a separate FIPS validation, perhaps done at the hardware level. - FIPS-capable OpenSSL (outside the FIPS boundary) is somehow made to use both FIPS validated modules depending on various conditions (such as algorithm availability). FIPS-capable OpenSSL can be changed without breaking the FIPS validation of the modules. - Overall application claims FIPS compliance as all crypto is done by FIPS validated modules. A hypothetical US gov example would be using a certificate on a FIPS validated FIPS 201 PIV ID card. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
