[openssl-commits] [web] master update

Mark J. Cox mark at openssl.org
Tue Sep 18 13:07:58 UTC 2018

The branch master has been updated
       via  53cc720aa09a60463d62d184ab6e23baccef5e71 (commit)
       via  7c369dac41a2f5a25d3533932686c860958b2643 (commit)
       via  fb942af17ae8fff1e18939d57676678931e9b7e4 (commit)
       via  a1a3195d8d9abdbc5238618b23f73cb774262d09 (commit)
       via  91ca9441703a779d4c065dc181653410914ee6f2 (commit)
      from  50ac168c298eedf5aced96da0b6eff5aee57b9fd (commit)

- Log -----------------------------------------------------------------
commit 53cc720aa09a60463d62d184ab6e23baccef5e71
Merge: 50ac168 7c369da
Author: Mark J. Cox <markcox at gmail.com>
Date:   Tue Sep 18 14:07:12 2018 +0100

    Merge pull request #77 from iamamoose/oss
    Merge information from openssl.com and about OSS into main site

commit 7c369dac41a2f5a25d3533932686c860958b2643
Author: Mark J. Cox <mark at awe.com>
Date:   Tue Sep 18 13:09:05 2018 +0100

    Update to the latest OSS bylaws

commit fb942af17ae8fff1e18939d57676678931e9b7e4
Author: Mark J. Cox <mark at awe.com>
Date:   Tue Sep 18 11:04:31 2018 +0100

    Add verify CD image

commit a1a3195d8d9abdbc5238618b23f73cb774262d09
Author: Mark J. Cox <mark at awe.com>
Date:   Tue Sep 18 11:03:45 2018 +0100

    Add the page from http://openssl.com/verifycd.html but update to
    show we do not accept US cheques/checks at this time.

commit 91ca9441703a779d4c065dc181653410914ee6f2
Author: Mark J. Cox <mark at awe.com>
Date:   Tue Sep 18 10:49:41 2018 +0100

    Add OSS bylaws and details of OSS to the contact page rather than using openssl.com
    which we should deprecate.  Bring wording for FIPS in line with what we used on


Summary of changes:
 community/contacts.html |  19 ++++++++----
 docs/fips/verifycd.html |  81 ++++++++++++++++++++++++++++++++++++++++++++++++
 docs/fips/verifycd.jpg  | Bin 0 -> 20887 bytes
 policies/oss-bylaws.pdf | Bin 0 -> 38884 bytes
 4 files changed, 94 insertions(+), 6 deletions(-)
 create mode 100644 docs/fips/verifycd.html
 create mode 100644 docs/fips/verifycd.jpg
 create mode 100644 policies/oss-bylaws.pdf

diff --git a/community/contacts.html b/community/contacts.html
index 5c6f6a6..8c0820e 100644
--- a/community/contacts.html
+++ b/community/contacts.html
@@ -17,10 +17,21 @@
 	  (US) non-profit corporation with its own <a
+	  <p><em>OpenSSL Software Services</em>
+	    (OSS) also represents the OpenSSL project, for
+            <a href="/support/contracts.html">Support Contracts</a>, and 
+            as the
+	    Vendor of Record for NIST Cryptographic Module
+            <a
+              href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/1747">#1747</a>
+            (This is an open-source validation of <a href="/docs/fips.html">FIPS-140</a> based on OpenSSL).  
+            It is a Delaware (US) corporation with its own <a
+            href="/policies/oss-bylaws.pdf">bylaws</a>.</p>
-          The best way to contact OSF is by sending an email to
+          The best way to contact OSF or OSS is by sending an email to
           <a href="mailto:osf-contact at openssl.org">osf-contact at openssl.org</a>.
-          For postal or telephone contact, use the following:
+          For postal contact, use the following:
 	    40 E Main St, Suite 744<br>
@@ -29,10 +40,6 @@
-	  <p><a href="https://www.openssl.com">OpenSSL Software Services</a>
-	  (OSS) also represents the OpenSSL project, most notably as the
-	  Vendor of Record for the FIPS validation.</p>
 	  You are here: <a href="/">Home</a>
diff --git a/docs/fips/verifycd.html b/docs/fips/verifycd.html
new file mode 100644
index 0000000..a30a9c1
--- /dev/null
+++ b/docs/fips/verifycd.html
@@ -0,0 +1,81 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.shtml" -->
+  <!--#include virtual="/inc/banner.shtml" -->
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+          <header><h2>FIPS 140-2 verification of the OpenSSL FIPS Object Module source distribution file</h2></header>
+	  <div class="entry-content">
+    <p>
+    <img src="./verifycd.jpg" align="left" border="0" alt="image of CD label" width="200" height="200">
+    The latest of the OpenSSL FIPS Object Module ("FIPS module")
+    FIPS 140-2 validations saw the introduction of a new requirement
+    by the CMVP:
+    <blockquote>
+      <em>The distribution tar file, shall be verified using an
+        independently acquired FIPS 140-2 validated cryptographic
+        module...</em>
+    </blockquote>
+    Some prospective users of the OpenSSL FIPS Object Module 2.0 already
+    have ready access to an existing securely-installed software product
+    using FIPS 140-2 validated cryptography that is capable of calculating
+    the HMAC-SHA-1 digest of a file on disk, in which case satisfying this
+    requirement is easy (simply calculate the HMAC-SHA-1 digest of the
+    source distribution file using the key <code>"etaonrishdlcupfm"</code>
+    and confirm it is that same as documented in the <a
+      href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm">Security Policy</a>
+    document (e.g., <code>"2cdd29913c6523df8ad38da11c342b80ed3f1dae"</code> for
+    <em>openssl-fips-2.0.tar.gz</em>).
+    </p>
+    <p>For most prospective users the identification, acquisition,
+    installation, and configuration of a suitable product may be a challenge.
+    (See Section 6.6 of our FIPS
+    <a href="/docs/fips/UserGuide-2.0.pdf">User
+      Guide</a>)
+    The requirement for this verification with an independently acquired
+    FIPS 140-2 validated cryptographic module does not apply when the
+    distribution file is distributed using a "secure" means. Distribution
+    on physical media is considered secure in this context, so as a
+    convenience a copy of the distribution files can be obtained from
+    <a href="/community/contacts.html">OSS</a> as a CD-ROM disks via postal mail.</p>
+    <p>The fee for this is $100 in US Dollars. At this time we are only able
+      to accept US wire transfers.
+    Email us at <a href="mailto:osf-contact at openssl.org">osf-contact at openssl.org</a>
+    and we will send you our ABA and account information.
+    <b>We cannot do credit cards, purchase orders, or anything other
+      than a US-based bank transfer at this time.</b>
+    We can mail internationally (the CD contains only open source code
+    and so may be exported under the TSU exception of EAR ECCN 5D002).
+    It will take a week or two to process your order.</p>
+    <p>Note that the files you will receive on these CDs will be
+    <em>identical</em> in every respect (except for formal FIPS 140-2
+    compliance) with the files you can download from <a
+      href="/source/">https://www.openssl.org/source/</a>
+    Once the distribution files have been received on this CD
+    they can be redistributed internally within an organizational
+    entity (corporation, institution, or agency) by normal means.
+    </p>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href="../">Docs</a>
+	    : <a href="../fips.html">FIPS</a>            
+	    : <a href="">FIPS-140 Verify CD</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.shtml" -->
+    </div>
+  </div>
+<!--#include virtual="/inc/footer.shtml" -->
diff --git a/docs/fips/verifycd.jpg b/docs/fips/verifycd.jpg
new file mode 100644
index 0000000..1037cb4
Binary files /dev/null and b/docs/fips/verifycd.jpg differ
diff --git a/policies/oss-bylaws.pdf b/policies/oss-bylaws.pdf
new file mode 100644
index 0000000..fc4fb65
Binary files /dev/null and b/policies/oss-bylaws.pdf differ

More information about the openssl-commits mailing list