[openssl-users] the fickleness of FIPS

Steve Marquess marquess at openssl.com
Mon Sep 7 12:46:40 UTC 2015


This is just a random little factoid for observers of the bizarre little
world of FIPS 140-2 validations. It's well known to that community that
validation outcomes are highly unpredictable. We've tried the "do very
similar submissions at the same time and marvel at the wild
discrepancies in outcome" experiment many times[*], but this one is
particularly illuminating.

On April 17 we submitted two validations that as identical as any two
such submissions could possibly be (exact same cryptographic module and
only one trivial cosmetic difference between the two Security Policy
documents[**]).

Approval of the "SE" submission took 69 calendar days (48 workdays);
after 143 calendar days (99 work days) its identical twin is still
unapproved. That's quite a variance (over 100%), and we don't even know
how that story ends yet.  It could take days, weeks, months longer and
we won't have a clue until it suddenly appears on the NIST CMVP web site.

-Steve M.

[*] See for instance
http://veridicalsystems.com/blog/the-fickleness-of-fips/

[**] That difference consists of six occurrences of "RE" in one versus
"SE" for the other; do a "s/SE/RE/g" substitution to
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2398.pdf
and you have the other validation.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc



More information about the openssl-users mailing list