[openssl-users] FIPS: Common method executed in case of error

Steve Marquess marquess at openssl.com
Tue Mar 10 12:56:15 UTC 2015

On 03/10/2015 08:20 AM, jonetsu wrote:
> ...
> Steve has replied that indeed the validation will be lost - I wonder
> if that would have any impact on the total validation costs for a
> whole unit, OS and apps ? 

You're talking about a Level 2 validation (or higher)? You most
definitely do *not* want to include the OS or applications in the
"cryptographic module boundary" for Level 1.

> Would a non-modified FIPS OpenSSL library
> reduce the validation costs ?

I think you're going to be shocked at the cost (in time and money) to
validate a hacked OpenSSL FIPS module, compared to using it as-is or a
"change letter" update. That's because the CMVP has introduced a number
of new requirements since the current FIPS module was validated (in
2012), and any new validation will now need to satisfy those. That means
not only non-trivial code hacks unrelated to yours, but also a new paper
shuffle for the "arm waving" (DTR) components of the validation process.
The cost of the latter dwarfs the former; which is why we have not
attempted a new validation ourselves.

But, that cost could be dwarfed in turn by that of a Level 2 or 3
validation of a turnkey system including OS and apps.

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list