[openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code
Richard Levitte
levitte at openssl.org
Sat Oct 31 13:01:44 UTC 2015
Can't recall previous discussions on this, but would it be possible to have a FIPS engine?
Cheers
Richard
Steve Marquess <marquess at openssl.com> skrev: (31 oktober 2015 13:34:33 CET)
>On 10/31/2015 08:26 AM, Alessandro Ghedini via RT wrote:
>> Hi,
>>
>> I don't know what your intentions are with FIPS support in master,
>...
>
>We would like to continue to provide a FIPS validated module for the
>1.1
>(and subsequent) releases. Unfortunately the current module ("OpenSSL
>FIPS Object Module 2.0") designed for compatibility with the 1.0
>releases won't be compatible with 1.1. That means we need to obtain a
>new validation for a new module, an endeavor fraught with many
>difficulties (none of them technical).
>
>I do expect the stars will align for that eventually, as they have for
>the five previous open source based validations. In the interim, since
>the FIPS module is shaped almost entirely by policy and metaphysical
>considerations, we should not include any incomplete FIPS specific code
>in 1.1 -- code that even if complete in some speculative sense would
>also be unusable absent a matching FIPS 140-2 validation.
>
>-Steve M.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
More information about the openssl-dev
mailing list