[openssl-users] FIPS Certification

Steve Marquess marquess at openssl.com
Wed Jan 27 19:31:55 UTC 2016

On 01/27/2016 01:19 PM, Imran Ali wrote:
> Thanks Steve - for the explanation. 
> We are using these libraries for Windows 2012 R2 which is 6.3 and  certificate #1747 mentions Windows 7 which is 6.1. I am hoping based on below that we are OK to use it under Windows 2012 R2 
> https://msdn.microsoft.com/en-gb/library/windows/desktop/ms724832(v=vs.85).aspx

"Windows 2012 R2" and "Windows 7" are different OEs in FIPS-land. The
CMVP goes by nominal OS branding and doesn't pay any attention to the
actual underlying software. For instance, if you roll your own "white
box" system from a Linux kernel then your OS is (say) "Linux 3.10". When
you upgrade that kernel to 3.13, then you no longer have a match with
the "Linux 3.10" OE.

But, if you instead used an "Ubuntu 14.04" system and the OS vendor
(Canonical) upgraded the kernel from 3.10 to 3.13, then you'd still have
a match because it is still called "Ubuntu 14.04". So what to a software
engineer is superficial branding becomes significant in FIPS-land. Note
for that reason many vendors with "white box" systems choose to give
their customized OS a distinctive brand name (e.g. "AcmeOS 1.0") so that
the same formally tested OE will cover multiple Linux kernels under that
OS brand name and unchanged OS version number.

It would be a bit of a stretch to re-brand Microsoft Windows, though.
Your options are to leverage I.G. G.5 "user affirmation", or to sponsor
addition of a Windows 2012 R2 platform.

-Steve M.

Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list