[openssl-users] Need Information on validation for OpenSSL FIPS

Kamal, Murali Murali.Kamal at ca.com
Wed Jun 15 12:44:43 UTC 2016

Hi Team,

I read through the content on "OpenSSL" page regarding the 'hostage', 'ransom' and 'aftermath' details.

As I understand it,
the currently active 'SE version' or #2398 (2.0.12) has been validated/certified only on 23 new platforms (as per its 'Security Policy' pdf on NIST site)
and the other 100+ platforms of cert-number #1747 & #2743 (TAR ball 2.0.10) will be considered as "vendor-affirmed" or "user-affirmed" (as per section 'G5' of NIST Implementation Guide pdf) for this "SE or 2.0.12" version;
because this 2.0.12 version "functionally supports all previous platforms" (but not listed/stated explicitly by NIST for 2.0.12 or 2.0.13 or 2.0.N version of the module).

Is my understanding correct?

If No, request you to provide inputs to correct my understanding.

If Yes, then considering, we get a "Premium Level" support contract with OpenSSL Software services (commercial consulting entity);
can we again raise a NEW 'Validation/certification request' against an old platform that is already part of #1747 or #2743?

The purpose of my above question is that, we don't want to build 2 versions of our product, one that is built with 2.0.10 and another with 2.0.12 or higher for the same OS with different version (say FreeBSD 9.x and 10.x) to claim FIPS-validated status.
This way, we may be able to pay for re-asserting/revalidating by a CMVP for a dozen old platforms that are already part of #1747 or #2743 again in #2398 (2.0.12) or 2.0.N;
thereby we can build our product using #2398 or some NEW certificate number #xxxx and claim "FIPS-validated" status with just one TAR ball (say 2.0.12 or some 2.0.N).
So that my product documentation would be clear with just ONE certificate number (either #2398 or #2473 or a #Brand_new_num) for all platforms of my interest.
Because, there will be some skeptical customers who would go to the NIST site for the certificate number we quote (#xxxx) and look for a list of "NIST-CMVP-Validated" platforms against a given #xxxx as they may not agree to "user-affirmed" or "vendor-affirmed" platforms as "FIPS-Validated".

Murali Kamal
Senior Software Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160615/9cbc6218/attachment.html>

More information about the openssl-users mailing list