OpenSSL *source* to get FIPS 140-2 Level 1 certification
Wei Dai
weidai at weidai.com
Fri Sep 5 18:02:10 EDT 2003
On Fri, Sep 05, 2003 at 04:15:22PM -0400, Anton Stiglic wrote:
> You are correct, I just saw Crypto++ in the list of FIPS 140 validated
> modules:
> http://csrc.nist.gov/cryptval/140-1/140val-all.htm
> It is the latest entry, added today.
> Congratulations to Wei Dai!
Thanks! Also thanks to Groove Networks (the company I work for) for
spending the money to do the validation.
> OpenSSL`s *source code* being evaluated remains exiting.
If OpenSSL source code gets validated, I'm going to be very surprised.
NIST told us in no uncertain terms that only compiled executable code
could be validated. In fact they wouldn't even validate Crypto++ as a
static library despite an earlier verbal agreement that a static
library was ok. It had to be turned into a DLL at the last moment (i.e.
during the review phase).
(We wanted to avoid making a DLL from Crypto++ since it has so many
algorithms. With a static library the linker would only bring in the
algorithms you use, but a DLL has to contain a pre-selected set of
algorithms. I ended up putting only FIPS Approved algorithms in the
DLL, and made a second static library that contains only
non-Approved algorithms, so that both could be used together.)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list