[openssl-users] FIPS 140-2 X9.31 RNG transition expenses

Steve Marquess marquess at openssl.com
Tue Dec 22 15:57:25 UTC 2015

On 12/14/2015 08:23 AM, Steve Marquess wrote:
> On 12/02/2015 11:16 AM, Steve Marquess wrote:
>> If you don't know or care what FIPS 140-2 is, be very glad this isn't
>> your problem and turn your charitable attentions to some worthy cause.
>> The CMVP has introduced a new policy that will result in the effective
>> termination of many extant validations if they are not updated by
>> January 31 2016[1]. That update is a pure paper shuffle -- adding
>> politically correct verbiage to the Security Policy document -- but
>> without it the CMVP will "de-list" the validation. The original OpenSSL
>> FIPS Object Module validations (#1747, #2398, #2473) and all validations
>> based on them -- which is a lot of validations -- are affected.
>> I'll be doing the labor to prepare the revised Security Policy documents
>> for all the validations that have been performed by OSF, both the well
>> known open source based ones and also "private label" ones, and the test
>> labs for some of those validations are also doing their part pro bono.
>> However, the test lab we used for the original open source based
>> validations (#1747, #2398, #2473) is charging $1250 for those three
>> related validations of the same module. Note this is not unreasonable as
>> these updates involve a non-trivial amount of work.
>> ...
> I'm pleased to report that this $1250 cost to paper-shuffle the
> #1747/#2398/#2473 validations has been covered, by Datagravity Inc.
> Within minutes of hearing of the issue for the first time the the CEO,
> Paula Long, not only had a check en route to the test lab but also sent
> a scan of the check and envelope as a heads-up for the lab.
> ...

Three companies answered this call to cover the cost of the "X9.31 RNG
transition" paper shuffle. Datagravity (http://datagravity.com/) acted
quickly and decisively, and the requisite paperwork has begun its
journey through the bowels of the FIPS 140-2 bureaucracy.

I would like to note that another company, Niksun (https://niksun.com/)
also contacted the test lab to make arrangement for payment of that fee.
If not for Datagravity beating them to the punch they would have been
the benefactor for this very necessary action.

The third company (not named here by request) was vigorously pursuing an
in-house approvals process and would also have covered this effort.

I thank all three for volunteering to bail out the entire community of
OpenSSL FIPS module users.

-Steve M.

Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list