[openssl-users] Key Deriviation Function Tests for TLS

Steve Marquess marquess at openssl.com
Wed Sep 30 13:34:39 UTC 2015

On 09/30/2015 09:18 AM, Jakob Bohm wrote:
> Under the new "contribution agreement" scheme, publishing such items
> early would also make them available to users ...

Publishing by someone else is fine, go for it. It would be nice to have
someone else publish FIPS module code, or validation information of any
kind for that matter. I think the validation process would be a lot less
capricious with less of the secrecy that is the current norm.

Anything we (OpenSSL) publish carries with it an implied support
obligation, and that's the key problem with FIPS specific code: it can't
be "verified" in any meaningful sense other than with an official formal
FIPS 140-2 validation. The FIPS 140-2 requirements are more metaphysical
and ideological than technical, and what's worse those requirements are
applied very subjectively. By that I mean that on multiple occasions
I've had the experience of taking very similar or even precisely
identical code through parallel validations, with different end results.

The presence of FIPS specific code in an OpenSSL repo would imply some
sort of suitability for use with FIPS validations. No matter how many
disclaimers and caveats we attached to that, there would still be
vendors trying to use it to obtain validations and encountering
problems. Guess who they're gonna call?

That problem is avoided if we obtain an open source based validation --
one where the module is distributed in source code form -- that has been
successfully validated. That validation then speaks for itself.

>> ...
>> We also have plans for a significant rewrite of the FIPS module
>> from its current form, and it's unlikely any third party submissions
>> would fit that vision.
> Interesting, I wonder if those plans include my previously
> posted ideas:
> ...

There are some issues with those ideas, but now is not the time to get
into details. We'll worry about it if and when we have an opportunity to
do a new open source based validation.

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list