<div dir="ltr">Thank you Steve,<div><br></div><div>This is very useful information.</div><div><br></div><div>>><span style="font-size:12.8px">I'm getting private queries about this (why is there is such reluctance to discuss the delights of FIPS 140-2 in public?).</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">I've noticed technical questions related to private FIPS certifications never get answered, at least not on this distribution list. I know mine was never answered. Maybe that's why users are reluctant to post their questions publicly and hope that a private email will get answered for sure. </span></div><div><span style="font-size:12.8px">Obviously there are also company restrictions related to confidentiality to consider, knowing that competitors and even customers are registered on the distribution list too.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">BTW, I had guessed why FIPS certification questions don't get answered: it's all about funding, but thank you for explaining it in your email.</span></div><div><span style="font-size:12.8px">>>...</span><span style="font-size:12.8px"> </span><span style="font-size:12.8px">FIPS validation business; it has gone</span></div><span style="font-size:12.8px">from economically marginal to unsustainable and as a result we'll</span><br style="font-size:12.8px"><span style="font-size:12.8px">probably be shutting down the corporate entity that does the FIPS</span><br style="font-size:12.8px"><span style="font-size:12.8px">validation work at the end of this year. I want to turn off the lights</span><br style="font-size:12.8px"><span style="font-size:12.8px">while that business is still (barely) in the black...</span><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">I think a formal statement should be posted on the OpenSSL website, so that all (FIPS) users know the level of support to expect.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Thank you all for you great work.</span></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 2, 2015 at 6:56 PM, Steve Marquess <span dir="ltr"><<a href="mailto:marquess@openssl.com" target="_blank">marquess@openssl.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
On 12/02/2015 11:16 AM, Steve Marquess wrote:<br>
<span style="white-space:pre-wrap">> If you don't know or care what FIPS 140-2 is, be very glad this isn't
> your problem and turn your charitable attentions to some worthy
> cause.
>
> The CMVP has introduced a new policy that will result in the
> effective termination of many extant validations if they are not
> updated by January 31 2016[1]. That update is a pure paper shuffle
> -- adding politically correct verbiage to the Security Policy
> document -- but without it the CMVP will "de-list" the validation.
>
> ...
>
> So if you're a corporate user of the OpenSSL FIPS Object Module</span><br>
><span style="white-space:pre-wrap"> v2.0 validation(s) #1747/#2398/#2473, and want to continue using</span><span class=""><br>
><span style="white-space:pre-wrap"> it past January 31, please be aware we'll need someone to cover</span><br></span>
><span style="white-space:pre-wrap"> that $1250 cost.
>
> Don't send any money to us; if you're interested in covering this
> cost I'll put you directly in touch with the test lab to work out
> specific payment arrangements.
>
> ...</span><br>
<br>
I'm getting private queries about this (why is there is such
reluctance to discuss the delights of FIPS 140-2 in public?). To
save some time here's an anonymous query I received, with my reply:<br>
<br>
<span style="white-space:pre-wrap">>> ... We are thinking of using openssl FIPS in our product but
>> haven't started the work yet.
>>
>> What will be the impacts to people like us who want to use the
>> OpenSSL FIPS modules but haven't started yet? Should we still use
>> the modules now or should we wait?
>
> Well, the #1747/#2398/#2473 validation is very widely used, so
> while the CMVP may block our future FIPS related initiatives I don't
> think they would dare kill those validations outright. Some
> stakeholder will pay the cost to surmount this latest obstacle, in
> fact we have had some contacts already.
>
> So I think you have safety in numbers if you decide to use that
> module now, and should be good for the next year or two. Keep</span><br>
><span style="white-space:pre-wrap"> in mind though that the long term future of the FIPS module is in</span><br>
><span style="white-space:pre-wrap"> doubt, as the upcoming OpenSSL 1.1 release may not have any FIPS</span><br>
><span style="white-space:pre-wrap"> support</span><span style="white-space:pre-wrap"> (at least initially). We're not going to try tackling a sixth new</span><br>
><span style="white-space:pre-wrap"> open source based validation on an at-risk basis like we've done in</span><br>
><span style="white-space:pre-wrap"> the past, as we think that risk is now too high. A new validation will
> require a sponsor willing to absorb that risk and champion the new
> validation within the government bureaucracy, and we have no such
> current prospects.
>
>> Will there be any code changes in the modules and will there be</span><br>
>><span style="white-space:pre-wrap"> new version of module (or will it be just the policy document
>> updated)?
>
> It's just a paper shuffle with no real-world impacts for end users.</span><br>
<br>
-Steve M.<span class=""><br>
<br>
-- <br>
Steve Marquess<br>
OpenSSL Software Foundation<br>
1829 Mount Ephraim Road<br>
Adamstown, MD 21710<br>
USA<br>
<a href="tel:%2B1%20877%20673%206775" value="+18776736775" target="_blank">+1 877 673 6775</a> s/b<br>
<a href="tel:%2B1%20301%20874%202571" value="+13018742571" target="_blank">+1 301 874 2571</a> direct<br>
<a href="mailto:marquess@openssl.com" target="_blank">marquess@openssl.com</a><br>
gpg/pgp key: <a href="http://openssl.com/docs/0x6D1892F5.asc" target="_blank">http://openssl.com/docs/0x6D1892F5.asc</a><br>
<br>
</span></div>
<br>_______________________________________________<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
<br></blockquote></div><br></div>