[openssl-users] FIPS 140-2 X9.31 RNG transition expenses

Steve Marquess marquess at openssl.com
Wed Dec 2 18:56:40 UTC 2015

On 12/02/2015 11:16 AM, Steve Marquess wrote:
> If you don't know or care what FIPS 140-2 is, be very glad this isn't > your problem and turn your charitable attentions to some worthy >
cause. > > The CMVP has introduced a new policy that will result in the
> effective termination of many extant validations if they are not >
updated by January 31 2016[1]. That update is a pure paper shuffle > --
adding politically correct verbiage to the Security Policy > document --
but without it the CMVP will "de-list" the validation. > > ... > > So if
you're a corporate user of the OpenSSL FIPS Object Module
>v2.0 validation(s) #1747/#2398/#2473, and want to continue using
>it past January 31, please be aware we'll need someone to cover
>that $1250 cost. > > Don't send any money to us; if you're interested
in covering this > cost I'll put you directly in touch with the test lab
to work out > specific payment arrangements. > > ...

I'm getting private queries about this (why is there is such reluctance
to discuss the delights of FIPS 140-2 in public?). To save some time
here's an anonymous query I received, with my reply:

>> ... We are thinking of using openssl FIPS in our product but >> haven't started the work yet. >> >> What will be the impacts to
people like us who want to use the >> OpenSSL FIPS modules but haven't
started yet? Should we still use >> the modules now or should we wait? >
> Well, the #1747/#2398/#2473 validation is very widely used, so > while
the CMVP may block our future FIPS related initiatives I don't > think
they would dare kill those validations outright. Some > stakeholder will
pay the cost to surmount this latest obstacle, in > fact we have had
some contacts already. > > So I think you have safety in numbers if you
decide to use that > module now, and should be good for the next year or
two. Keep
>in mind though that the long term future of the FIPS module is in
>doubt, as the upcoming OpenSSL 1.1 release may not have any FIPS
>support(at least initially). We're not going to try tackling a sixth new
>open source based validation on an at-risk basis like we've done in
>the past, as we think that risk is now too high. A new validation will
> require a sponsor willing to absorb that risk and champion the new >
validation within the government bureaucracy, and we have no such >
current prospects. > >> Will there be any code changes in the modules
and will there be
>>new version of module (or will it be just the policy document >>
updated)? > > It's just a paper shuffle with no real-world impacts for
end users.

-Steve M.

Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151202/034b0aa1/attachment.html>

More information about the openssl-users mailing list