[openssl-users] Attack of the FIPS 140-2 Clones

Steve Marquess marquess at openssl.com
Tue May 10 14:47:13 UTC 2016

If you neither know nor care what FIPS 140-2 is, count yourself lucky
and move on (even if you're a Star Wars fan; this isn't nearly as

The "Alternative Scenario 1A/1B" aka "clone" aka "rebrand" validations
have been an endless source of confusion, even for the accredited test
labs and the CMVP. The one bright spot is that these clone validations
indirectly expand the number of formally tested platforms ("Operational
Environments" in FIPS-speak) available to all OpenSSL FIPS Object Module

I've added a new section, 2.10, to the OpenSSL FIPS User Guide that
summarizes this set of platforms:


As of today there are nine such clone validations, in addition to the
ancestral #1747 validation all are derived from. Collectively they cover
178 unique platforms which are listed in alphabetical order in table 2.10b.

-Steve M.

Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list