[openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9
Jakob Bohm
jb-openssl at wisemo.com
Mon Dec 21 12:06:33 UTC 2015
On 18/12/2015 19:58, Steve Marquess wrote:
> On 12/18/2015 12:58 PM, jonetsu wrote:
>> Fair enough (in this context). But what about the code itself, is it ready
>> to be RSA 186-4 compliant ?
> We think we know how to write the code that would be necessary, for FIPS
> 186-4 and all the other new requirements, though you can never be sure
> until *your* specific module has been formally validated. Given the
> capriciousness of the FIPS 140-2 validation process, which I've
> commented on frequently, the fact that someone else did something in
> *their* validation doesn't necessarily mean a lot for *your* validation.
>
> But, without an open source based validation in which such code would
> have any general utility, we see no point in writing FIPS specific code.
> We're not in the business of doing speculative software development.
>
>> And, if we go through a validation, can OpenSSL benefit from it ?
> By "we" do you mean some sort of proprietary commercial validation?
> Those don't contribute at all to the availability of a no-cost open
> source validated module; code is worthless (even "open source" code) for
> the purposes of satisfying the USG/DoD FIPS 140-2 procurement
> requirements if it hasn't been sprinkled with the magical pixie dust of
> FIPS 140-2 validation.
>
> Writing the code isn't trivial, but that has never been the hard part...
Maybe he is asking that if "they" contribute the code, could this
ease the (non-bureaucratic) work that OpenSSL would need to do for
that future "version 3" FIPS module?
Enjoy and Merry Christmas
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list