[openssl-users] FIPS module 2.0.10 revision approved

Steve Marquess marquess at openssl.com
Mon Sep 7 12:28:12 UTC 2015

If you don't know or care what FIPS 140-2 is, then rejoice in your good
fortune and run don't walk back to your brighter and happier world.

The CMVP has approved the pending change letter update for the 2.0.10
revision to the #1747 validation, and at the same time they fixed
the typos in their "Big Blob o' Text". I've summarized the results here
(since the Big Blob is still essentially unreadable):


Note some of the "hostage" platforms are restored (partially) and the
red scold text is gone.

The same 2.0.10 change letter was submitted against the #2398 validation
at the same time and that has not been approved yet. When it is those
ten new platforms will appear on that validation as well. Those
platforms were submitted against both validations since we were not sure
what to expect. A 2.0.11 change letter update is also pending for the
#2398 validation.

We now know we can't add any more new platforms to the #1747 validation,
because one of the CMVP responses to that change letter submission was a
demand that we retroactively alter yet more previously approved platform
descriptions (i.e., new "hostages"). We were able to deflect that by
noting that the issue cited (optimized platforms with no non-optimized
counterparts) is present in multiple very recently approved validations.
But, the lesson is clear: any attempt to add new platforms means open
season on older ones. So, we don't dare try to add any more platforms to
#1747. We may eventually encounter the same issue with the clone
validations too (e.g. #2398 and its still pending "RE" twin). The #1747
validation will remain at revision 2.0.10 forever.

For now we're apparently still able to add platforms to the #2398
validation. We'll have to wait to see if any more surprises are in
store. For now we are continuing to write change letter platform
validation contracts, but with yet more caveats as the risk factors seem
to keep rising.

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list