[openssl-users] FIPS 140-2 X9.31 RNG transition expenses

Steve Marquess marquess at openssl.com
Tue Dec 22 13:08:04 UTC 2015

On 12/21/2015 09:32 PM, Salz, Rich wrote:
>> Just want to confirm on this item. Are we saying that to get
>> openssl back to be FIPS compliance is just a paper shuffle. If so
>> is there any expected eta on it as our team is using openssl
>> version for a security project and we need a fips compliance
>> library.
> No.
> We have answered this many times, but perhaps the messages were too
> long and confusing.

Yes indeed (mea culpa). It's such a mess I don't know how to address it
succinctly. Part of the problem is that there are multiple intertwined

I think the term "paper shuffle" in this context refers to the "X9.31
RNG transition" issue which is (hopefully) a one shot aberration, one
pothole in the vast wasteland of FIPS 140-2 validations. That is
(mostly) addressed, in that a benefactor has come forward (Datagravity,
Inc.) to pay the test lab fees necessary for filing the necessary
paperwork. That has been done and now we are just waiting on the usual
slow bureaucratic process. I'll make an announcement when that paper
shuffle is complete.

> We are not doing any work on adding new platforms at this time.  If
> you cannot use one of the existing platforms, then there is no FIPS
> support available "for free."

No "freebies". However, we are continuing to perform *sponsored* (some
one pays for it) "change letter" additions of new platforms to the
*existing* OpenSSL FIPS module (validations #1747/#2398/#2473). We will
continue to do so for as long as such updates are technically and
economically feasible. Just last week eleven new platforms were added to
that module this way, and more platforms are pending.

Those aren't free in that some sponsor needs to fund them initially, but
once done those platforms are available to everyone. That is the
collaborative process by which the OpenSSL FIPS module has grown to
support some 120 platforms, more by far than for any other FIPS 140-2
validated module.

> We are not taking on a new validation with new algorithms, etc.,
> unless we get one or more sponsors who are willing to contribute a
> significant amount of money, among other things.

Correct ... we are eager to do so but lack the opportunity at present. I
remain hopeful that we will be able to attempt this at some point.

-Steve M.

Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list