[openssl-users] FIPS 140-2 red letter puzzle

Steve Marquess marquess at openssl.com
Mon Feb 22 15:10:54 UTC 2016


As always, if you don't know or care what FIPS 140-2 is then rejoice at
your good fortune and move on.

I'm getting queries about "red letter" text in the listing of the #1747
validation on the NIT CMVP web site:

  http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747

That red letter text says "This module is in process for the RNG
transition."

The #1717 validation is the original validation for the OpenSSL FIPS
Module v2.0, and the one with the most platforms (that module is now
also covered by two additional validations, #2398 and #2473, for
perverse bureaucratic reasons).

The "change letter" updates to satisfy the "RNG transition" requirements
were submitted for all three validations and approved for all three by
the CMVP in late January (#1747, #2473) or early February (#2398) at
which point the "This module is in process for the RNG transition." text
was removed for all three validations.

Now that text is back for the #1747 validation; apparently appearing
sometime on February 19 (or at least that's when I received the first
report). Otherwise that entry still reflects the successful RNG
transition (the new Security Policy is linked and the RNG algorithm
appears in the "Other algorithms" category).

I have no idea why the red letter text is back, and have submitted a
request for clarification through our accredited test lab.

I suspect this is just a clerical error, a not uncommon occurrence. So,
don't panic yet. I think we will eventually receive confirmation that
this red-letter message is an error and that it will be corrected.

Such confirmation may take some time, though. Similar errors in the past
have remained uncorrected for months.

-Steve M.

-- 
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc


More information about the openssl-users mailing list