[openssl-users] Comments on the recent OpenSSL 3.0.0 specification
Jakob Bohm
jb-openssl at wisemo.com
Tue Feb 19 00:19:39 UTC 2019
(Resend from correct account)
On 15/02/2019 18:35, Salz, Rich via openssl-users wrote:
>> (as for "possibly not the FIPS provider", that's exactly right. That
> one *will* be a loadable module and nothing else, and will only be
> validated as such... meaning that noone can stop you from hacking
> around and have it linked in statically, but that would make it
> invalid re FIPS)
> To be pedantic: this is true only *if you are using the OpenSSL
> validation.* If you are getting your own validation (such as using
> OpenSSL in an HSM device or whatnot), this is not true.
> > - If permitted by the CMVP rules, allow an option for
> > application provided (additional) entropy input to the RNG
> > from outside the module boundary.
> This is allowed, but it does not count toward the "minimum entropy"
> requirements. Anything after the first seeding falls into that category.
>
Thanks, the document wording made it look like the OpenSSL 3 FIPS RNG would
only accept the system entropy source.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list