[14045] in cryptography@c2.net mail archive
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
daemon@ATHENA.MIT.EDU (Wei Dai)
Sat Sep 6 19:16:08 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 6 Sep 2003 15:33:44 -0400
From: Wei Dai <weidai@weidai.com>
To: Ben Laurie <ben@algroup.co.uk>
Cc: Anton Stiglic <astiglic@okiok.com>,
Joshua Hill <josh-crypto@untruth.org>,
Rich Salz <rsalz@datapower.com>, cryptography@metzdowd.com
In-Reply-To: <3F5A2893.6090004@algroup.co.uk>; from ben@algroup.co.uk on Sat, Sep 06, 2003 at 07:33:55PM +0100
On Sat, Sep 06, 2003 at 07:33:55PM +0100, Ben Laurie wrote:
> Prepare to be very surprised, then.
Do you have *written* guidance from NIST/CSE that your approach is ok?
(Not the testing lab, what they say don't really count in the end, and
neither does what NIST/CSE say verbally.) If so can you please post that
written guidance?
> This is all good fun, coz I'm mandating static libraries for OpenSSL, so
> that the evidential chain can be maintained (its hard to find a DSO in a
> cross-platform manner so you can checksum it).
If NIST/CSE is really allowing OpenSSL source code and static libraries to
be validated, I should go back to them and demand the same treatment for
Crypto++. Who have you been working with on the government's side?
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
