OpenSSL *source* to get FIPS 140-2 Level 1 certification

[Wei Dai]

On Sat, Sep 06, 2003 at 03:33:44PM -0400, Wei Dai wrote:
> Do you have *written* guidance from NIST/CSE that your approach is ok?
> (Not the testing lab, what they say don't really count in the end, and
> neither does what NIST/CSE say verbally.) If so can you please post that
> written guidance?

I think I may have found such a written guidance myself. It's guidance 
G.5, dated 8/6/2003, in the latest "Implementation Guidance for FIPS 
140-2" on NIST's web site: 
http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf. This section seems 
especially relevant:

For level 1 Operational Environment, the software cryptographic module 
will remain compliant with the FIPS 140-2 validation when operating on 
any general purpose computer (GPC) provided that: 

a. the GPC uses the specified single user operating system/mode 
specified on the validation certificate, or another compatible single 
user operating system, and 

b. the source code of the software cryptographic module does not 
require modification prior to recompilation to allow porting to another 
compatible single user operating system.
(end quote)

The key word here must be "recompilation". The language in an earlier 
version of the same guidance was this:

b. the software of the cryptographic module does not require 
modification when ported (platform specific configuration modifications 
are excluded).

which left the source code issue ambiguous, but in practice NIST/CSE
did not validate any source code and told everyone verbally that source
code could not be validated. I'd love to know how the OpenSSL team got
NIST/CSE to change their mind.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com