[openssl-users] FIPS certification for openssl

Michael Wojcik Michael.Wojcik at microfocus.com
Wed Nov 29 13:58:18 UTC 2017

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Sandeep Umesh
> Sent: Wednesday, November 29, 2017 07:30
> To: openssl-users at openssl.org; info at openssl.org

> As per this blog:
> https://www.openssl.org/blog/blog/2017/10/27/steve-marquess/

Thanks for pointing that out. I somehow hadn't even noticed there was an official OpenSSL blog (I'm now subscribed). I see from it that Steve Henson is also leaving (or has left) the project.

> Steve who is instrumental in handling FIPS certification for openssl object module is no more associated with OSF. 
> How can we proceed for future FIPS certification ? Is there any other contact person to perform FIPS certification for
> openssl object module ?

In homage to Steve, I'd like to point out that there's no such thing as "FIPS certification". Presumably you mean FIPS validation.

I assume that the OpenSSL Management Committee will find someone else to take on the various roles Steve Marquess filled over the years, including shepherding the FIPS validations through. Now that the OpenSSL Project is bigger and better-funded, it's quite possible FIPS validation, and other aspects, won't be as closely associated with a single person as they historically were.

And that's good, generally speaking; they should be owned by the Project and the OMC. While I'm sure we're all grateful to Steve M for his work with OpenSSL over the years - and I for one will miss hearing from him on this list, on matters FIPS-related and others - for a project as important as OpenSSL it's not really healthy for users to see aspects of it as tied to an individual.

That said, it wouldn't hurt for the OMC to post a message to the list stating that business will continue as planned, since two very key figures have left the project.

Michael Wojcik 
Distinguished Engineer, Micro Focus 

More information about the openssl-users mailing list