[openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9

Steve Marquess marquess at openssl.com
Mon Dec 21 13:18:55 UTC 2015

On 12/21/2015 07:06 AM, Jakob Bohm wrote:
> On 18/12/2015 19:58, Steve Marquess wrote:
>> On 12/18/2015 12:58 PM, jonetsu wrote:
>>> Fair enough (in this context).  But what about the code itself, is it
>>> ready
>>> to be RSA 186-4 compliant ?
>> We think we know how to write the code that would be necessary, for FIPS
>> 186-4 and all the other new requirements, though you can never be sure
>> until *your* specific module has been formally validated. Given the
>> capriciousness of the FIPS 140-2 validation process, which I've
>> commented on frequently, the fact that someone else did something in
>> *their* validation doesn't necessarily mean a lot for *your* validation.
>> But, without an open source based validation in which such code would
>> have any general utility, we see no point in writing FIPS specific code.
>> We're not in the business of doing speculative software development.
>>> And, if we go through a validation, can OpenSSL benefit from it ?
>> By "we" do you mean some sort of proprietary commercial validation?
>> Those don't contribute at all to the availability of a no-cost open
>> source validated module; code is worthless (even "open source" code) for
>> the purposes of satisfying the USG/DoD FIPS 140-2 procurement
>> requirements if it hasn't been sprinkled with the magical pixie dust of
>> FIPS 140-2 validation.
>> Writing the code isn't trivial, but that has never been the hard part...
> Maybe he is asking that if "they" contribute the code, could this
> ease the (non-bureaucratic) work that OpenSSL would need to do for
> that future "version 3" FIPS module?

No, because my colleagues have very specific and detailed ideas on how
the new FIPS specific code would be implemented; as with many
contributions the effort of adapting a third party contribution would be
as much or more work than writing it from scratch.

Availability of code isn't the obstacle here.

-Steve M.

Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list