[openssl-users] FIPS 140-2 X9.31 RNG transition expenses

Steve Marquess marquess at openssl.com
Mon Dec 14 13:23:39 UTC 2015

On 12/02/2015 11:16 AM, Steve Marquess wrote:
> If you don't know or care what FIPS 140-2 is, be very glad this isn't
> your problem and turn your charitable attentions to some worthy cause.
> The CMVP has introduced a new policy that will result in the effective
> termination of many extant validations if they are not updated by
> January 31 2016[1]. That update is a pure paper shuffle -- adding
> politically correct verbiage to the Security Policy document -- but
> without it the CMVP will "de-list" the validation. The original OpenSSL
> FIPS Object Module validations (#1747, #2398, #2473) and all validations
> based on them -- which is a lot of validations -- are affected.
> I'll be doing the labor to prepare the revised Security Policy documents
> for all the validations that have been performed by OSF, both the well
> known open source based ones and also "private label" ones, and the test
> labs for some of those validations are also doing their part pro bono.
> However, the test lab we used for the original open source based
> validations (#1747, #2398, #2473) is charging $1250 for those three
> related validations of the same module. Note this is not unreasonable as
> these updates involve a non-trivial amount of work.
> ...

I'm pleased to report that this $1250 cost to paper-shuffle the
#1747/#2398/#2473 validations has been covered, by Datagravity Inc.
Within minutes of hearing of the issue for the first time the the CEO,
Paula Long, not only had a check en route to the test lab but also sent
a scan of the check and envelope as a heads-up for the lab.

It's refreshing to encounter a company, and not a tiny one at that,
which can complete the see-decide-act cycle in Internet time, when
others would just be warming up for a days or weeks long odyssey through
the bowels of an in-house corporate bureaucratic process.

In covering this cost Datagravity has not only addressed direct impacts
to their business from the threatened de-listing, but has also bailed
out the hundreds of commercial vendors and government agencies using
those validations.

Note it is still possible that those validations may still be briefly
de-listed, as the paperwork hasn't been submitted yet. Hopefully that
will happen this week, but the CMVP backlog for acting on such
submissions is typically several months and the deadline for de-listing
is only six weeks away during a time of year when the CMVP tends to move
at less than breakneck speed. I do not know for sure that they will
defer that when the requisite paperwork is sitting unreviewed in their

-Steve M.

Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list