On 16/05/2019 02:11, Paul Dale wrote:
Just noting that any module built in this manner is *not* FIPS compliant. The distribution must be unmodified and build exactly as per the documentation. Any change to the files or the build process renders the result invalid from a FIPS perspective.
Only deviations from the official process in creating the fipscanister invalidates the FIPS validation. The FIPS-capable OpenSSL is "outside the boundary" of the FIPS module and can be changed at will. This is why a new FIPS validation is not needed every time OpenSSL releases a bugfix to OpenSSL 1.0.x . 1.1.x will not have FIPS support, and 4.y.x may lack this agility. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
