OpenSSL *source* to get FIPS 140-2 Level 1 certification

Ben Laurie ben at algroup.co.uk
Sat Sep 6 14:33:55 EDT 2003


Wei Dai wrote:

> On Fri, Sep 05, 2003 at 04:15:22PM -0400, Anton Stiglic wrote:
> 
>>You are correct, I just saw Crypto++ in the list of FIPS 140 validated 
>>modules:
>>http://csrc.nist.gov/cryptval/140-1/140val-all.htm
>>It is the latest entry, added today.
>>Congratulations to Wei Dai!
> 
> 
> Thanks! Also thanks to Groove Networks (the company I work for) for 
> spending the money to do the validation.
> 
> 
>>OpenSSL`s *source code* being evaluated remains exiting.
> 
> 
> If OpenSSL source code gets validated, I'm going to be very surprised.

Prepare to be very surprised, then.

> NIST told us in no uncertain terms that only compiled executable code 
> could be validated. In fact they wouldn't even validate Crypto++ as a 
> static library despite an earlier verbal agreement that a static 
> library was ok. It had to be turned into a DLL at the last moment (i.e. 
> during the review phase).

This is all good fun, coz I'm mandating static libraries for OpenSSL, so
that the evidential chain can be maintained (its hard to find a DSO in a
cross-platform manner so you can checksum it).

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list