OpenSSL *source* to get FIPS 140-2 Level 1 certification
Ben Laurie
ben at algroup.co.uk
Sat Sep 6 14:33:55 EDT 2003
Wei Dai wrote:
> On Fri, Sep 05, 2003 at 04:15:22PM -0400, Anton Stiglic wrote:
>
>>You are correct, I just saw Crypto++ in the list of FIPS 140 validated
>>modules:
>>http://csrc.nist.gov/cryptval/140-1/140val-all.htm
>>It is the latest entry, added today.
>>Congratulations to Wei Dai!
>
>
> Thanks! Also thanks to Groove Networks (the company I work for) for
> spending the money to do the validation.
>
>
>>OpenSSL`s *source code* being evaluated remains exiting.
>
>
> If OpenSSL source code gets validated, I'm going to be very surprised.
Prepare to be very surprised, then.
> NIST told us in no uncertain terms that only compiled executable code
> could be validated. In fact they wouldn't even validate Crypto++ as a
> static library despite an earlier verbal agreement that a static
> library was ok. It had to be turned into a DLL at the last moment (i.e.
> during the review phase).
This is all good fun, coz I'm mandating static libraries for OpenSSL, so
that the evidential chain can be maintained (its hard to find a DSO in a
cross-platform manner so you can checksum it).
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list