[openssl-users] Key Deriviation Function Tests for TLS

Jakob Bohm jb-openssl at wisemo.com
Wed Sep 30 13:58:20 UTC 2015

On 30/09/2015 15:34, Steve Marquess wrote:
> On 09/30/2015 09:18 AM, Jakob Bohm wrote:
>> ...
>> Under the new "contribution agreement" scheme, publishing such items
>> early would also make them available to users ...
> Publishing by someone else is fine, go for it. It would be nice to have
> someone else publish FIPS module code, or validation information of any
> kind for that matter. I think the validation process would be a lot less
> capricious with less of the secrecy that is the current norm.

Point is that the contribution agreement contains a bug, whereby
anything not published by the OpenSSL Foundation in the UK is not
licensed to anyone.

Having a publication procedure for things marked "This does NOT
work in its current form, but we are giving you a license" works
around that bug to the benefit of anyone recovering the project
similar to how the original Australian project (SSLeay) was
recovered by Dr. Henson in the UK as OpenSSL.

> Anything we (OpenSSL) publish carries with it an implied support
> obligation, and that's the key problem with FIPS specific code: it can't
> be "verified" in any meaningful sense other than with an official formal
> FIPS 140-2 validation. The FIPS 140-2 requirements are more metaphysical
> and ideological than technical, and what's worse those requirements are
> applied very subjectively. By that I mean that on multiple occasions
> I've had the experience of taking very similar or even precisely
> identical code through parallel validations, with different end results.
> The presence of FIPS specific code in an OpenSSL repo would imply some
> sort of suitability for use with FIPS validations. No matter how many
> disclaimers and caveats we attached to that, there would still be
> vendors trying to use it to obtain validations and encountering
> problems. Guess who they're gonna call?
> That problem is avoided if we obtain an open source based validation --
> one where the module is distributed in source code form -- that has been
> successfully validated. That validation then speaks for itself.
>>> ...
>>> We also have plans for a significant rewrite of the FIPS module
>>> from its current form, and it's unlikely any third party submissions
>>> would fit that vision.
>> Interesting, I wonder if those plans include my previously
>> posted ideas:
>> ...
> There are some issues with those ideas, but now is not the time to get
> into details. We'll worry about it if and when we have an opportunity to
> do a new open source based validation.
Agreed, just making sure they were posted somewhere you
could find them when the time comes.


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150930/d440ee0e/attachment.html>

More information about the openssl-users mailing list