[14032] in cryptography@c2.net mail archive
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
daemon@ATHENA.MIT.EDU (Wei Dai)
Sat Sep 6 13:51:29 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 5 Sep 2003 18:02:10 -0400
From: Wei Dai <weidai@weidai.com>
To: Anton Stiglic <astiglic@okiok.com>
Cc: Joshua Hill <josh-crypto@untruth.org>,
Rich Salz <rsalz@datapower.com>, cryptography@metzdowd.com
In-Reply-To: <014d01c373ea$6f92a990$3f00a8c0@p1038mobile>; from astiglic@okiok.com on Fri, Sep 05, 2003 at 04:15:22PM -0400
On Fri, Sep 05, 2003 at 04:15:22PM -0400, Anton Stiglic wrote:
> You are correct, I just saw Crypto++ in the list of FIPS 140 validated
> modules:
> http://csrc.nist.gov/cryptval/140-1/140val-all.htm
> It is the latest entry, added today.
> Congratulations to Wei Dai!
Thanks! Also thanks to Groove Networks (the company I work for) for
spending the money to do the validation.
> OpenSSL`s *source code* being evaluated remains exiting.
If OpenSSL source code gets validated, I'm going to be very surprised.
NIST told us in no uncertain terms that only compiled executable code
could be validated. In fact they wouldn't even validate Crypto++ as a
static library despite an earlier verbal agreement that a static
library was ok. It had to be turned into a DLL at the last moment (i.e.
during the review phase).
(We wanted to avoid making a DLL from Crypto++ since it has so many
algorithms. With a static library the linker would only bring in the
algorithms you use, but a DLL has to contain a pre-selected set of
algorithms. I ended up putting only FIPS Approved algorithms in the
DLL, and made a second static library that contains only
non-Approved algorithms, so that both could be used together.)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
