[openssl-commits] [web] master update

Tim Hudson tjh at openssl.org
Sun Dec 10 12:39:10 UTC 2017

The branch master has been updated
       via  22fe369deffaccab10d1cf82b740a85064f8b782 (commit)
      from  0a4c853aded41a16c9b7029406ec1e82dbb6079a (commit)

- Log -----------------------------------------------------------------
commit 22fe369deffaccab10d1cf82b740a85064f8b782
Author: Tim Hudson <tjh at cryptsoft.com>
Date:   Sun Dec 10 22:37:22 2017 +1000

    update the fips related information
    - remove all references and pointers to OVS or openssl.com
    - remove negative comments/opinions/statements about NIST/CSE/CMVP
    - remove historical advertising information
    - point to the general contact address


Summary of changes:
 docs/fips.html           |  2 --
 docs/fipsnotes.html      | 43 ++++---------------------------------------
 docs/fipsvalidation.html | 29 +++--------------------------
 3 files changed, 7 insertions(+), 67 deletions(-)

diff --git a/docs/fips.html b/docs/fips.html
index bc19603..ffef801 100644
--- a/docs/fips.html
+++ b/docs/fips.html
@@ -34,8 +34,6 @@
 	    <a href="fips/UserGuide-2.0.pdf">2.0 User Guide</a>.
-	    <p>In mid-year 2017 work began on a new FIPS module for use with OpenSSL release 1.1.
 	    <p>Thanks to multiple platform sponsorships the 2.0 validations
 	    include the largest number of formally tested platforms for any
 	    validated module.</p>
diff --git a/docs/fipsnotes.html b/docs/fipsnotes.html
index c850f76..7f689fd 100644
--- a/docs/fipsnotes.html
+++ b/docs/fipsnotes.html
@@ -9,21 +9,10 @@
 	  <header><h2>Important Notes about OpenSSL and FIPS 140</h2></header>
 	  <div class="entry-content">
-	    <p>Please please read the <a href="fips/UserGuide.pdf">User Guide</a>.
-	    Nothing will make sense otherwise (it still may not afterwards,
-	    but at least you've a better chance).</p>
-	    <p>No new validations are currently planned.</p>
+	    <p>Please please read the <a href="fips/UserGuide.pdf">User Guide</a>.</p>
 	    <h3>FIPS What?  Where Do I Start?</h3>
-	    <p>Ok, so your company needs FIPS validated cryptography to land
-	    that big sale, and your product currently uses OpenSSL. You
-	    haven't worked up the motivation to wade through the entire <a
-	    href="fips/UserGuide.pdf">User Guide</a> and want the quick "executive
-	    summary".  Here is a grossly oversimplified account:</p>
-	    <p>
 	      <li>OpenSSL itself is not validated.  Instead
@@ -33,10 +22,9 @@
 	      the OpenSSL API can be converted to use validated cryptography
 	      with minimal effort.</li>
-	      <li>The OpenSSL FIPS Object Module validation is unique among
-	      all FIPS 140-2 validations in that the product is "delivered" in
-	      source code form, meaning that if you can use it exactly as is
-	      and can build it (according to the very specific documented
+	      <li>The OpenSSL FIPS Object Module validation 
+	      is "delivered" in source code form, meaning that if you can use it 
+	      exactly as is and can build it (according to the very specific documented
 	      instructions) for your platform, then you can use it as
 	      validated cryptography on a "vendor affirmed" basis.</li>
@@ -65,29 +53,6 @@
             We are not currently taking on any additional validation work
             nor adding new platforms to the existing "1747" validation.
-	    <h3>Performance at Startup</h3>
-	    <p>We have had many complaints about poor performance of the
-	    Power-On Self Test (POST) on low powered computers, as with some
-	    embedded devices. In the worst cases the POST can take several
-	    minutes. Such devices were not included as test platforms at the
-	    time the code was originally written.</p>
-	    <p>The current FIPS validated code performs a very comprehensive
-	    set of mandatory algorithm self tests when it enter FIPS mode
-	    covering many algorithm combinations. There is a DSA parameter
-	    generation self test which is especially CPU intensive.</p>
-	    <p>As a result of the POST performance issue we revisited the KAT
-	    (Known Answer Test) requirements in the POST process that were
-	    burning up most of those cycle.  In consultation with a CMVP test
-	    lab we determined that it should be possible to substantially
-	    reduce that performance penalty in a new validation.
-	    Unfortunately such a change can only be undertaken in the context
-	    of a new validation, and not as a change letter modification.</p>
-	    <p>Another factor affecting performance is the use (or not) of
-	    platform specific optimizations.  The x86/x64 Windows and Linux
-	    code makes use of assembly language optimizations for FIPS
-	    cryptographic algorithms. The C only version is much slower and so
-	    the POST is slower too.</p>
 	    You are here: <a href="/">Home</a>
diff --git a/docs/fipsvalidation.html b/docs/fipsvalidation.html
index 4b36886..d36c2d2 100644
--- a/docs/fipsvalidation.html
+++ b/docs/fipsvalidation.html
@@ -23,20 +23,6 @@
 	    which is documented in the
 	    <a href="fips/UserGuide-1.2.pdf">1.2 User Guide</a>.</p>
-	    <p><strong>Important Note:</strong>
-	    Due to new requirements introduced in 2013 the current v2.0 Module
-	    is no longer suitable as a reference for private label
-	    validations; see the <a
-	    href="https://www.openssl.com/fips/ig95.html">I.G. 9.5 FAQ</a>.
-	    Due to earlier changes in the FIPS 140-2 validation requirements
-	    the v1.2 Module is no longer be a suitable model for private label
-	    validations in its current form past the year 2010; see the NIST <a
-	      href="http://csrc.nist.gov/groups/STM/cmvp/notices.html">Notices</a>,
-	    <a
-	      href="http://csrc.nist.gov/groups/ST/key_mgmt/documents/Transitioning_CryptoAlgos_070209.pdf">discussion paper</a>
-	    and <a
-	      href="http://csrc.nist.gov/publications/drafts/800-131/draft-800-131_transition-paper.pdf">Draft 800-131</a>.</p>
 	    <p>The OpenSSL FIPS Object Module validations receive support
 	    from multiple sources for each validation effort; however only
@@ -92,18 +78,9 @@
 	    <p>If you have an interest in sponsoring any changes or additions
-	    to this validation please contact <a
-	      href="https://openssl.com/fips">OpenSSL Validation Services</a>.</p>
-	    <p>Some commercial software vendors ask us "what do we gain from
-	    sponsoring a validation that our competition can also use?".  Our
-	    answer is "nothing, if you think in terms of obstructing your
-	    competition".  If, on the other hand, you compete primarily on the
-	    merits of your products then what others may do with the validation is
-	    less of a threat as they derive no more advantage from it than you
-	    do.  Your advantage is that your sponsorship will probably cost
-	    less that the commercial software license you would otherwise have
-	    to buy, and you will retain backwards compatibility with the
-	    regular OpenSSL API while avoiding vendor lock-in.</p>
+	    to this validation please contact us via an email to <a
+	      href="mailto:osf-contact at opensl.org">osf-contact at openssl.org</a>.</p>
 	    You are here: <a href="/">Home</a>

More information about the openssl-commits mailing list