OpenSSL Receives FIPS 140-2 Validation

Argon writes "Close on heals of NewsForge reporting about Government Agency dragging its heels on OpenSSL validation comes the news that OpenSSL receives FIPS Certification. More details are available at the Open Source Institute site which has been driving the effort to get OpenSSL certified. FIPS 140-2 certification allows software using the certified version of OpenSSL to get into various Government departments previously not possible, thus increasing penetration of Free Software in Government."

So will this end gnutls ?

I mean... I do think it to be good that the market offers multiple solutions to certain issues, freedom of choice is a good thing. However I sometimes don't understand why sometimes people are very desperate to re-invent the wheel "just because". It usually starts with "its not free / open sourced" (as they say about Java), "its too complicated", and I guess there are numerous of other reasons. Don't get me wrong; I'm not claiming that those reasons are nonsense perse.

But what I do find frustrating is when the original software is very usable, has earned its spurs multiple times and as such deserves some credit. Instead people desperatly try to mimick it sometimes, even resulting in an environment which doesn't even come close to working as the original. Resulting in "yet another environment". On Linux for example you can basicly say that it has 2 TLS solutions: openssl and gnutls.

Personally I think this is silly, and basicly no different from what the big companies do. Many people whine about how many different standards there are and how this should be made easier and more free, only to end up doing exactly the same.

Kudo's to openssl! Very impressive and still my personal favorite when it comes to providing SSL based solutions.

Is the end of RSA Security (the company)?

OpenSSL has long been the choice crypto library for many commercial applications. When such products need to be sold into government they invariably face the issue of FIPS 140-2 certification. Does an OpenSSL FIPS 140-2 module signal the end of RSA Security. Other than their SecureID tokens RSA do not seem to have a lot more to offer.

Re:Is the end of RSA Security (the company)?

[Halo-]

Let me answer that with a resounding: "Huh?"

Does an OpenSSL FIPS 140-2 module signal the end of RSA Security. Other than their SecureID tokens RSA do not seem to have a lot more to offer.

FIPS 140-2 is basically a standard correctly and security of an algorithm. OpenSSL implements things like the RSA algorithm, and their implementation has been certified as "safe" for government use to a certain level of assurance. This doesn't have anything to do with RSA Security (the company), SecureID, or anything like that.

RSA the (algorithm) is still very, very much alive and doesn't show any sign of going anywhere for many years. This is due in part to the fact that the only other option is elliptic curve, (ECC) which is patented, and will be for some time to come.

Level 1

[swillden]

The article notes that OpenSSL has achieved level 1, "the lowest of four possible validation levels". It should be noted, however, that level 1 is also the only level achievable by a software implementation. Level 2 requires physical "tamper evidence", which isn't achievable without something physical on which the tampering would be evident. Just for completeness, level 3 and level 4 require different degrees of "tamper resistance".

Cool!

[Spy+der+Mann]

I hope now they can use that as a legitimate reason to finish documenting the libraries...

# openssl(1): [STILL INCOMPLETE]
Manual page documenting the openssl command line tool.

# ssl(3): [STILL INCOMPLETE]
Manual page documenting the OpenSSL SSL/TLS library.

# crypto(3): [STILL INCOMPLETE]
Manual page documenting the OpenSSL Crypto library.

# HOWTO: [STILL INCOMPLETE]
HOWTO documents to introduce concepts or explain them in a way that is not possible in the manuals.