<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000099">
On 15/03/2016 21:24, Satya Das wrote:<br>
<blockquote
cite="mid:BL2PR07MB2404733E46065F0FE413B52AD7890@BL2PR07MB2404.namprd07.prod.outlook.com"
type="cite">
<pre wrap="">Even if a vendor letter is good for CMVP, how is the vendor supposed to know ?</pre>
</blockquote>
<br>
By remembering whether or not he followed the required procedure;
it's the only way for him to know.<br>
<br>
<blockquote
cite="mid:BL2PR07MB2404733E46065F0FE413B52AD7890@BL2PR07MB2404.namprd07.prod.outlook.com"
type="cite">
<pre wrap="">I would say openssl should give such a tool so that vendor and the testing Lab can know such things. It is more than critical that the applications link to the intended crypto module.</pre>
</blockquote>
<br>
You miss the point. It is no more or less critical that 'the
application link to the intended crypto module' than countless other
things. Many of the other things cannot be checked by running a
tool. How would a tool check that the vendor had executed 'make' at
the appropriate stage as opposed to (say) '/usr/bin/make'? How would
a tool check that the vendor had got the original tar file from the
OSF CD rather than by downloading it?<br>
<br>
<blockquote
cite="mid:BL2PR07MB2404733E46065F0FE413B52AD7890@BL2PR07MB2404.namprd07.prod.outlook.com"
type="cite">
<pre wrap="">This convoluted and complex object module linking etc. with 207 page user guide is specific to openssl's approach to FIPS, and therefore should be addressed by the project. It should not come down to some vendor document written in good faith.</pre>
</blockquote>
<br>
How can it come down to anything else? What other possible means are
there for a customer to know that an OpenSSL-based product is FIPS
140-2 validated?<br>
<br>
<pre class="moz-signature" cols="72">--
J. J. Farrell
Not speaking for Oracle.</pre>
</body>
</html>