On 04/07/2019 16:44, Salz, Rich wrote:
Is the use of OpenSSL an actual legal requirement of the certification of
the FIPS object module, or just the easiest way to use it?
I'm not sure who you are asking this.
The exiting FIPS validations for OpenSSL only cover the 1.0.2 based source code.
Difference would be particularly significant in case someone created code
to use the validated FOM 2.0 module with the OpenSSL 1.1.x feature
enhancements (as the project itself has indicated no desire to do so).
They would have to get their own validation, their own lab to verify, etc., etc.
That seems to contradict the other answer, which is that legally, the
FIPS cannister (properly built) can be used with any software outside
the cryptographic boundary, the soon-to-be-deprecated OpenSSL 1.0.2
library just being the normal default.
If the other answer is correct, it should be perfectly OK (legally) for
someone to modify OpenSSL 1.1.1 source code to call the FIPS canister
for everything, and the result should be an application that is as FIPS
"compliant" as an application that runs something unrelated (such as
Apache mod_ssl) on top of OpenSSL-1.0.2 on top of FOM 2.x , thus no new
validation required.
The point is that some people may soon be in a desperate need to find a
FIPS-capable replacement for OpenSSL 1.0.x.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
