Domain: oss-institute.org
Stories and comments across the archive that link to oss-institute.org.
Comments · 15
-
Re:FYI: Openssl FIPS DetailsFrom http://oss-institute.org/fips-faq.html
3) What exactly is being validated? The OpenSSL Crypto modules? The whole distribution? FIPS 140-2 is concerned with cryptographic module implementations, not applications or products per se. The FIPS 140-2 "cryptographic module" defined for OpenSSL contains the FIPS 140 specific cryptographic API and algorithm implementations only; i.e. the API for low level algorithms (RSA, AES, 3DES, DSA, SHA-1). This cryptographic module is a minimal subset of the full OpenSSL distribution which is essentially just the *.c and *.h files for the relevant crypto algorithms
And they don't even certify the entire package, only the encryption algorithms. Haven't cryptographers spent forever showing how to implement secure algorithms? It would seem the majority of security flaws arise from the rest of the software package. The dinner the NIST guys got must have been pretty delicious. -
FYI: Openssl FIPS Details
Keep in mind a FIPs certified build of openssl requires specific but not complex build parameters.
Also keep in mind the Openssl project can't modify the fips-certified code parts. It would have to go back for certification and I doubt Novell/HP and ? want to pay for that again and again.
It would be interesting to hear if distros (or any users) are building and using it in applications in the FIPS mode.
Obligatory link: http://oss-institute.org/fips-faq.html -
I got this in the fips-nis-update mailing list
3:00 pm -- Tuesday, July 18, 2006
http://oss-institute.org/index.php?option=content& task=view&id=166&Itemid=
OpenSSL Module Certification Number 642: back on again...
To: OSSI
From: DOMUS IT Labs
RE: Status of OpenSSL Module (Certification #642)
I received a call this afternoon (Tuesday, July 18, 2006) from the NIST side from the CMVP. They have indicated that certificate #642 had incorrectly been marked as "revoked" during the web site update on Friday 14-Jul-2006. The CMVP has returned the certificate to its "not available" status and posted the following explanation regarding the terminology:
If a validation certificate is marked not available, the module is no longer available for procurement, but may still be retained and used to demonstrate compliance to FIPS 140-1 or FIPS 140-2.
If a validation certificate is marked as revoked, the module validation is no longer valid and may not be referenced to demonstrate compliance to FIPS 140-1 or FIPS 140-2.
Refer to http://csrc.nist.gov/cryptval/140-1/1401val.htm
Updated and resubmission continues on previous schedule.
----
it's never boring, that I can promise you.
stay tuned.
jmw
--
John M. Weathersby, Jr.
Executive Director
Open Source Software Institute
www.oss-institute.org
tel: 601.427.0152
Ad maiorem dei gloriam (AMDG)
Audentes fortuna juvat -
"Pending" for 2 weeks
Congrats and thanks to the team - I can only imagine what a struggle this has been.
From http://www.oss-institute.org/
Two points to remember please: a) the validation is still considered
"pending" until it is posted on the NIST site...in no more than 2
weeks from the announcement date -- NIST official protocol, and b)
the validation does not immediately solve all FIPS 140-2 compliance
issues.
The big thing available now is "OpenSSL Security Policy Version 1.0"
http://oss-institute.org/images/OpenSSL_SecurityPo licy_FINAL.pdf
This document is required as a part of the FIPS 140-2 validation
process. It describes the OpenSSL FIPS cryptographic module in
relation to FIPS 140-2 requirements. The companion document
OpenSSL FIPS 140-2 User Guide (Reference 14)is a technical
reference for developers using, and system administrators
installing, the OpenSSL FIPS software, for use in risk assessment
reviews by security auditors, and as a summary and overview for
program managers.
The "validated OpenSSL USER GUIDE" will be available within two weeks
of the announcement date.
No sign yet of OpenSSL 0.9.7j on the openssl site.
There is an email list available for updates:
http://mail.oss-institute.org/mailman/listinfo/fip s-nist-update_oss-institute.org -
"Pending" for 2 weeks
Congrats and thanks to the team - I can only imagine what a struggle this has been.
From http://www.oss-institute.org/
Two points to remember please: a) the validation is still considered
"pending" until it is posted on the NIST site...in no more than 2
weeks from the announcement date -- NIST official protocol, and b)
the validation does not immediately solve all FIPS 140-2 compliance
issues.
The big thing available now is "OpenSSL Security Policy Version 1.0"
http://oss-institute.org/images/OpenSSL_SecurityPo licy_FINAL.pdf
This document is required as a part of the FIPS 140-2 validation
process. It describes the OpenSSL FIPS cryptographic module in
relation to FIPS 140-2 requirements. The companion document
OpenSSL FIPS 140-2 User Guide (Reference 14)is a technical
reference for developers using, and system administrators
installing, the OpenSSL FIPS software, for use in risk assessment
reviews by security auditors, and as a summary and overview for
program managers.
The "validated OpenSSL USER GUIDE" will be available within two weeks
of the announcement date.
No sign yet of OpenSSL 0.9.7j on the openssl site.
There is an email list available for updates:
http://mail.oss-institute.org/mailman/listinfo/fip s-nist-update_oss-institute.org -
"Pending" for 2 weeks
Congrats and thanks to the team - I can only imagine what a struggle this has been.
From http://www.oss-institute.org/
Two points to remember please: a) the validation is still considered
"pending" until it is posted on the NIST site...in no more than 2
weeks from the announcement date -- NIST official protocol, and b)
the validation does not immediately solve all FIPS 140-2 compliance
issues.
The big thing available now is "OpenSSL Security Policy Version 1.0"
http://oss-institute.org/images/OpenSSL_SecurityPo licy_FINAL.pdf
This document is required as a part of the FIPS 140-2 validation
process. It describes the OpenSSL FIPS cryptographic module in
relation to FIPS 140-2 requirements. The companion document
OpenSSL FIPS 140-2 User Guide (Reference 14)is a technical
reference for developers using, and system administrators
installing, the OpenSSL FIPS software, for use in risk assessment
reviews by security auditors, and as a summary and overview for
program managers.
The "validated OpenSSL USER GUIDE" will be available within two weeks
of the announcement date.
No sign yet of OpenSSL 0.9.7j on the openssl site.
There is an email list available for updates:
http://mail.oss-institute.org/mailman/listinfo/fip s-nist-update_oss-institute.org -
Re:Common Criteria evaluation is mostly worthless
Yeah.
A little Googling revealed a FAQ about HP and Defense Medical Logistics Standard Support (DMLSS) program of the DoD Military Health System sponsoring a validation test for OpenSSL 0.9.7b for FIPS-140 certification of its cryptographic modules.
Besides being widely used, I gather that certification of the cryptographic modules alone can help later versions of OpenSSL be credible so long as the crypto module remains the same.
As usual, any corporate and/or government sponsor for work like this gets extra gold stars in my book when it comes time to evaluate which product to buy from which company, which govt program to support, etc.
-
Re:Market Share
I say FUD. HP is doing plenty to support linux, as well as development. They sponsor:
- Gentoo ,GNOME,
- Linux International
- Free Standards Group (the LSB is a workgroup of these guys)
- the OSS Institute
- OSDL, Kernel.org
- etc.
HP has many people hacking the linux kernel. Of course, IBM is doing great stuff as well, but you sketched the situation in a much too black & white way. -
The Open Source Software Institute...
...is a big supporter of this sort of thing. Check them out here. The OSSI is chaired by John Weathersby, who seems to have a good handle on how to communicate effectively via standards, reports, certifications, and so on with folks in the U.S. government.
-
Re:For stats, see "Why OSS/FS? Look at the Numbers
Yup, thanks to the good folks at OSSI for the heads up on that article...
Tom
-
Re:Good NewsThe other thing I would like to see happen with all the Linux companies is to organize a general lobbying group to challenge MS's marketing force.
Well, there's the Open Source Software Institute that lobbies for Open Source in government and academic organizations.
Some vendors are low-profile sponsors. I believe they also accept individual donations, which are tax-deductible because they're a non-profit.
-
Re:Procurement is half the battle.
There is some documented use of open source in the DoD (probably the least likely to use open source IMHO,) right now. See:
This Study from NAVOCEANO (Naval Oceanographic Office.)
This program was produced in conjunction with the Open Source Software Institute, a non-profit to encourage open source usage in government. -
Re:Procurement is half the battle.
There is some documented use of open source in the DoD (probably the least likely to use open source IMHO,) right now. See:
This Study from NAVOCEANO (Naval Oceanographic Office.)
This program was produced in conjunction with the Open Source Software Institute, a non-profit to encourage open source usage in government. -
OSSI mailing list
The OSSI has a mailing list for discussing Open Source and federal Projects.
subscribe:
opengovtprojects mailing list
or email:
opengovtprojects-request@oss-institute.org with the word subscribe as the subject -
OSSI mailing list
The OSSI has a mailing list for discussing Open Source and federal Projects.
subscribe:
opengovtprojects mailing list
or email:
opengovtprojects-request@oss-institute.org with the word subscribe as the subject