<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
On 12/02/2015 11:16 AM, Steve Marquess wrote:<br>
<span style="white-space: pre;">> If you don't know or care what FIPS 140-2 is, be very glad this isn't
> your problem and turn your charitable attentions to some worthy
> cause.
>
> The CMVP has introduced a new policy that will result in the
> effective termination of many extant validations if they are not
> updated by January 31 2016[1]. That update is a pure paper shuffle
> -- adding politically correct verbiage to the Security Policy
> document -- but without it the CMVP will "de-list" the validation.
>
> ...
>
> So if you're a corporate user of the OpenSSL FIPS Object Module</span><br>
><span style="white-space: pre;"> v2.0 validation(s) #1747/#2398/#2473, and want to continue using</span><br>
><span style="white-space: pre;"> it past January 31, please be aware we'll need someone to cover</span><br>
><span style="white-space: pre;"> that $1250 cost.
>
> Don't send any money to us; if you're interested in covering this
> cost I'll put you directly in touch with the test lab to work out
> specific payment arrangements.
>
> ...</span><br>
<br>
I'm getting private queries about this (why is there is such
reluctance to discuss the delights of FIPS 140-2 in public?). To
save some time here's an anonymous query I received, with my reply:<br>
<br>
<span style="white-space: pre;">>> ... We are thinking of using openssl FIPS in our product but
>> haven't started the work yet.
>>
>> What will be the impacts to people like us who want to use the
>> OpenSSL FIPS modules but haven't started yet? Should we still use
>> the modules now or should we wait?
>
> Well, the #1747/#2398/#2473 validation is very widely used, so
> while the CMVP may block our future FIPS related initiatives I don't
> think they would dare kill those validations outright. Some
> stakeholder will pay the cost to surmount this latest obstacle, in
> fact we have had some contacts already.
>
> So I think you have safety in numbers if you decide to use that
> module now, and should be good for the next year or two. Keep</span><br>
><span style="white-space: pre;"> in mind though that the long term future of the FIPS module is in</span><br>
><span style="white-space: pre;"> doubt, as the upcoming OpenSSL 1.1 release may not have any FIPS</span><br>
><span style="white-space: pre;"> support</span><span style="white-space: pre;"> (at least initially). We're not going to try tackling a sixth new</span><br>
><span style="white-space: pre;"> open source based validation on an at-risk basis like we've done in</span><br>
><span style="white-space: pre;"> the past, as we think that risk is now too high. A new validation will
> require a sponsor willing to absorb that risk and champion the new
> validation within the government bureaucracy, and we have no such
> current prospects.
>
>> Will there be any code changes in the modules and will there be</span><br>
>><span style="white-space: pre;"> new version of module (or will it be just the policy document
>> updated)?
>
> It's just a paper shuffle with no real-world impacts for end users.</span><br>
<br>
-Steve M.<br>
<br>
-- <br>
Steve Marquess<br>
OpenSSL Software Foundation<br>
1829 Mount Ephraim Road<br>
Adamstown, MD 21710<br>
USA<br>
+1 877 673 6775 s/b<br>
+1 301 874 2571 direct<br>
<a class="moz-txt-link-abbreviated" href="mailto:marquess@openssl.com">marquess@openssl.com</a><br>
gpg/pgp key: <a class="moz-txt-link-freetext" href="http://openssl.com/docs/0x6D1892F5.asc">http://openssl.com/docs/0x6D1892F5.asc</a><br>
<br>
</body>
</html>