[openssl-users] FIPS 140-2 X9.31 RNG transition expenses

R C Delgado rcdelgado05 at gmail.com
Thu Dec 3 15:41:19 UTC 2015

Thank you Steve,

This is very useful information.

>>I'm getting private queries about this (why is there is such reluctance
to discuss the delights of FIPS 140-2 in public?).

I've noticed technical questions related to private FIPS certifications
never get answered, at least not on this distribution list. I know mine was
never answered. Maybe that's why users are reluctant to post their
questions publicly and hope that a private email will get answered
for sure.
Obviously there are also company restrictions related to confidentiality to
consider, knowing that competitors and even customers are registered on the
distribution list too.

BTW, I had guessed why FIPS certification questions don't get answered:
it's all about funding, but thank you for explaining it in your email.
>>... FIPS validation business; it has gone
from economically marginal to unsustainable and as a result we'll
probably be shutting down the corporate entity that does the FIPS
validation work at the end of this year. I want to turn off the lights
while that business is still (barely) in the black...

I think a formal statement should be posted on the OpenSSL website, so that
all (FIPS) users know the level of support to expect.

Thank you all for you great work.

On Wed, Dec 2, 2015 at 6:56 PM, Steve Marquess <marquess at openssl.com> wrote:

> On 12/02/2015 11:16 AM, Steve Marquess wrote:
> > If you don't know or care what FIPS 140-2 is, be very glad this isn't >
> your problem and turn your charitable attentions to some worthy > cause. >
> > The CMVP has introduced a new policy that will result in the > effective
> termination of many extant validations if they are not > updated by January
> 31 2016[1]. That update is a pure paper shuffle > -- adding politically
> correct verbiage to the Security Policy > document -- but without it the
> CMVP will "de-list" the validation. > > ... > > So if you're a corporate
> user of the OpenSSL FIPS Object Module
> > v2.0 validation(s) #1747/#2398/#2473, and want to continue using
> > it past January 31, please be aware we'll need someone to cover
> > that $1250 cost. > > Don't send any money to us; if you're interested
> in covering this > cost I'll put you directly in touch with the test lab to
> work out > specific payment arrangements. > > ...
> I'm getting private queries about this (why is there is such reluctance to
> discuss the delights of FIPS 140-2 in public?). To save some time here's an
> anonymous query I received, with my reply:
> >> ... We are thinking of using openssl FIPS in our product but >> haven't
> started the work yet. >> >> What will be the impacts to people like us who
> want to use the >> OpenSSL FIPS modules but haven't started yet? Should we
> still use >> the modules now or should we wait? > > Well, the
> #1747/#2398/#2473 validation is very widely used, so > while the CMVP may
> block our future FIPS related initiatives I don't > think they would dare
> kill those validations outright. Some > stakeholder will pay the cost to
> surmount this latest obstacle, in > fact we have had some contacts already.
> > > So I think you have safety in numbers if you decide to use that >
> module now, and should be good for the next year or two. Keep
> > in mind though that the long term future of the FIPS module is in
> > doubt, as the upcoming OpenSSL 1.1 release may not have any FIPS
> > support (at least initially). We're not going to try tackling a sixth
> new
> > open source based validation on an at-risk basis like we've done in
> > the past, as we think that risk is now too high. A new validation will
> > require a sponsor willing to absorb that risk and champion the new >
> validation within the government bureaucracy, and we have no such > current
> prospects. > >> Will there be any code changes in the modules and will
> there be
> >> new version of module (or will it be just the policy document >>
> updated)? > > It's just a paper shuffle with no real-world impacts for end
> users.
> -Steve M.
> --
> Steve Marquess
> OpenSSL Software Foundation
> 1829 Mount Ephraim Road
> Adamstown, MD  21710
> +1 877 673 6775 s/b
> +1 301 874 2571 direct
> marquess at openssl.com
> gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151203/f0f06e3a/attachment.html>

More information about the openssl-users mailing list