[openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code
Steve Marquess
marquess at openssl.com
Sat Oct 31 12:34:33 UTC 2015
On 10/31/2015 08:26 AM, Alessandro Ghedini via RT wrote:
> Hi,
>
> I don't know what your intentions are with FIPS support in master, ...
We would like to continue to provide a FIPS validated module for the 1.1
(and subsequent) releases. Unfortunately the current module ("OpenSSL
FIPS Object Module 2.0") designed for compatibility with the 1.0
releases won't be compatible with 1.1. That means we need to obtain a
new validation for a new module, an endeavor fraught with many
difficulties (none of them technical).
I do expect the stars will align for that eventually, as they have for
the five previous open source based validations. In the interim, since
the FIPS module is shaped almost entirely by policy and metaphysical
considerations, we should not include any incomplete FIPS specific code
in 1.1 -- code that even if complete in some speculative sense would
also be unusable absent a matching FIPS 140-2 validation.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
More information about the openssl-dev
mailing list