[openssl-users] FIPS Certification

Steve Marquess marquess at openssl.com
Wed Jan 27 17:02:56 UTC 2016

On 01/27/2016 11:54 AM, Jakob Bohm wrote:
> The unfortunate people who are legally required to use
> FIPS-validated crypto are legally restricted to use
> *only* the crypto sw/hw on the FIPS validated list and
> *only* in the specific configurations (OS etc.) listed
> for each on that list.

Well, there is I.G. G.5, a perfectly legitimate though often
under-utilized tactic.  As noted in my last message it's generally
accepted that "on the list" doesn't necessarily mean a literal string
match, though even then there will always be a huge number of platforms
that are not formally tested OEs.

> Everybody else is better off not trying to use FIPS-
> restricted modes and setups.
> ...

This is a good point worth repeating: use FIPS 140-2 validated
cryptography only because you must, not because you think it is somehow
"better". It isn't; the validated crypto is necessarily inferior to its
unvalidated equivalent (e.g. stock OpenSSL in the case of the OpenSSL
FIPS Object Module) by every real world metric (security, performance,

-Steve M.

Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list