OpenSSL *source* to get FIPS 140-2 Level 1 certification
Wei Dai
weidai at weidai.com
Mon Sep 15 12:57:55 EDT 2003
On Sat, Sep 06, 2003 at 03:33:44PM -0400, Wei Dai wrote:
> Do you have *written* guidance from NIST/CSE that your approach is ok?
> (Not the testing lab, what they say don't really count in the end, and
> neither does what NIST/CSE say verbally.) If so can you please post that
> written guidance?
I think I may have found such a written guidance myself. It's guidance
G.5, dated 8/6/2003, in the latest "Implementation Guidance for FIPS
140-2" on NIST's web site:
http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf. This section seems
especially relevant:
For level 1 Operational Environment, the software cryptographic module
will remain compliant with the FIPS 140-2 validation when operating on
any general purpose computer (GPC) provided that:
a. the GPC uses the specified single user operating system/mode
specified on the validation certificate, or another compatible single
user operating system, and
b. the source code of the software cryptographic module does not
require modification prior to recompilation to allow porting to another
compatible single user operating system.
(end quote)
The key word here must be "recompilation". The language in an earlier
version of the same guidance was this:
b. the software of the cryptographic module does not require
modification when ported (platform specific configuration modifications
are excluded).
which left the source code issue ambiguous, but in practice NIST/CSE
did not validate any source code and told everyone verbally that source
code could not be validated. I'd love to know how the OpenSSL team got
NIST/CSE to change their mind.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list