[openssl-users] FIPS 140-2 X9.31 RNG transition expenses

Steve Marquess marquess at openssl.com
Wed Dec 2 16:16:38 UTC 2015

If you don't know or care what FIPS 140-2 is, be very glad this isn't
your problem and turn your charitable attentions to some worthy cause.

The CMVP has introduced a new policy that will result in the effective
termination of many extant validations if they are not updated by
January 31 2016[1]. That update is a pure paper shuffle -- adding
politically correct verbiage to the Security Policy document -- but
without it the CMVP will "de-list" the validation. The original OpenSSL
FIPS Object Module validations (#1747, #2398, #2473) and all validations
based on them -- which is a lot of validations -- are affected.

I'll be doing the labor to prepare the revised Security Policy documents
for all the validations that have been performed by OSF, both the well
known open source based ones and also "private label" ones, and the test
labs for some of those validations are also doing their part pro bono.
However, the test lab we used for the original open source based
validations (#1747, #2398, #2473) is charging $1250 for those three
related validations of the same module. Note this is not unreasonable as
these updates involve a non-trivial amount of work.

In years past that would be just another routine cost of doing business
that we would absorb, as for instance we did earlier this year for the
"ransom" of the "RE" validation[2]. However, 2015 has not been a good
year for the open source based FIPS validation business; it has gone
from economically marginal to unsustainable and as a result we'll
probably be shutting down the corporate entity that does the FIPS
validation work at the end of this year. I want to turn off the lights
while that business is still (barely) in the black, and so have vowed
not to take on any new expenses and will not be paying this $1250 out of
those cash reserves, or out of my retirement savings. I also feel rather
strongly that the FIPS related OpenSSL activities should not be
subsidized out of donations or other general OpenSSL revenues. IMHO it's
enough that I've worked on FIPS issues all this year with no income to
show for it.

So if you're a corporate user of the OpenSSL FIPS Object Module v2.0,
validation(s) #1747/#2398/#2473, and want to continue using it past
January 31, please be aware we'll need someone to cover that $1250 cost.

Don't send any money to us; if you're interested in covering this cost
I'll put you directly in touch with the test lab to work out specific
payment arrangements.


-Steve M.

[1] See "X9.31 RNG transition, December 31, 2015" at

[2] http://openssl.com/fips/ransom.html

Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list