[openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9

Steve Marquess marquess at openssl.com
Fri Dec 18 18:58:52 UTC 2015

On 12/18/2015 12:58 PM, jonetsu wrote:
> Fair enough (in this context).  But what about the code itself, is it ready
> to be RSA 186-4 compliant ?

We think we know how to write the code that would be necessary, for FIPS
186-4 and all the other new requirements, though you can never be sure
until *your* specific module has been formally validated. Given the
capriciousness of the FIPS 140-2 validation process, which I've
commented on frequently, the fact that someone else did something in
*their* validation doesn't necessarily mean a lot for *your* validation.

But, without an open source based validation in which such code would
have any general utility, we see no point in writing FIPS specific code.
We're not in the business of doing speculative software development.

> And, if we go through a validation, can OpenSSL benefit from it ?

By "we" do you mean some sort of proprietary commercial validation?
Those don't contribute at all to the availability of a no-cost open
source validated module; code is worthless (even "open source" code) for
the purposes of satisfying the USG/DoD FIPS 140-2 procurement
requirements if it hasn't been sprinkled with the magical pixie dust of
FIPS 140-2 validation.

Writing the code isn't trivial, but that has never been the hard part...

-Steve M.

Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list