OpenSSL loses FIPS 140-2 Certification

OhHellWithIt writes "Government Computer News reported on Tuesday that OpenSSL has lost FIPS 140-2 certification, only six months after receiving it. It sounds like bad news for those of us who would like to see open source gain more of a foothold in U.S. federal workplaces." Readers have updated this story with an update saying the certification has shifted again.

I got this in the fips-nis-update mailing list

[Argon]

3:00 pm -- Tuesday, July 18, 2006

http://oss-institute.org/index.php?option=content& task=view&id=166&Itemid=

OpenSSL Module Certification Number 642: back on again...

To: OSSI
From: DOMUS IT Labs
RE: Status of OpenSSL Module (Certification #642)

I received a call this afternoon (Tuesday, July 18, 2006) from the NIST side from the CMVP. They have indicated that certificate #642 had incorrectly been marked as "revoked" during the web site update on Friday 14-Jul-2006. The CMVP has returned the certificate to its "not available" status and posted the following explanation regarding the terminology:

If a validation certificate is marked not available, the module is no longer available for procurement, but may still be retained and used to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

If a validation certificate is marked as revoked, the module validation is no longer valid and may not be referenced to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

Refer to http://csrc.nist.gov/cryptval/140-1/1401val.htm

Updated and resubmission continues on previous schedule.

----
it's never boring, that I can promise you.
stay tuned.
jmw

--
John M. Weathersby, Jr.
Executive Director
Open Source Software Institute
www.oss-institute.org
tel: 601.427.0152

Ad maiorem dei gloriam (AMDG)
Audentes fortuna juvat

Saving$ are for Sucker$

[digitaldc]

An official with the Defense Department's Defense Medical Logistics Standard Support program told GCN when certification was granted that OpenSSL could save the program hundreds of thousands of dollars.

Just speculating here, but maybe it is due to 'competition' by a high-priced commercial alternative that was pushed through by lobbyists?
Why save US taxpayers hundreds of thousands of dollars when you can benefit yourself and rack up huge profits for your corporate friends?


Further reading: http://www.boston.com/news/local/maine/articles/20 06/07/19/audit_finds_ipods_dog_booties_on_homeland _security_credit_cards/
"Audit finds iPods, dog booties on Homeland Security credit cards By Lara Jakes Jordan, Associated Press Writer | July 19, 2006
WASHINGTON --Wielding government-issued credit cards, Homeland Security employees racked up hundreds of thousands of dollars in unjustified expenses last year, including booties for rescue dogs, iPods, designer rain jackets and beer-making equipment, a congressional audit shows."

FOIA? National Security??

[2phar]

"The CMVP does not provide information regarding the status or reason as in many cases it may be proprietary"

Could someone explain how a flaw discovered in public source code is "proprietary"?!

Are they saying they can't tell anyone what's wrong with it because it would reveal some sort of flaw in SSL to 'terrorists'? Will this stand up to the Freedom of Information Act?

And then.. if the developers via divine intervention determine what the problem is, does this mean they can't put comments in the open source describing it?!

Rediculous.

Re:FOIA? National Security??

[Shanep]

They have a policy not to publicly disclose this info. This policy was set up for propriatary/closed source vendors. They just continued to follow that policy when dealing with an open source vendor. OpenSSL/OpenBSD will most likely tell the public this info at some point, but it still may be something they want to fix before publishing -- a practice which is common in both open and closed source products/projects.

Why would the OpenBSD project make public announcements on behalf of the seperate OpenSSL project? The OpenSSL project cannot speak for themselves?

Re:Reasons Not Given?

They were refering to publicly providing the info. They do provide it to the vendor/developer of the product.
They would not tell the person researching/writing the article why it was revoked.

Re:I'm guessing

[glitch23]

I know you were being sarcastic but I'll bite. The answer is yes at least for certain U.S. gov't departments. I work on a U.S. gov't contract and when implementing a custom application that was ported to Java we had to abide by security requirements as part of our overall project requirements. One of those requirements was that no passwords shall be sent in the clear but the kicker was that we had to use something that was FIPS compliant and certified. I was told the mere use of certified algorithms wasn't enough but that meant we had to buy something because rolling our own implementation of the algorithms would require certification and we didn't have time or the money for that.

In the end it was sufficient to roll our own and write up what was done until a long term solution was developed. It was a pain in the ass because of the products that are FIPS compliant, a lot of them are hardware solutions and some of the others weren't even available for use outside of the company who developed them. An example of that was a library that I believe IBM made. I contacted the people listed on the FIPS site for that item and I was told that the library was for internal use only. A lot of good it does for it to be listed on the FIPS site. We also needed a Java implementation which made it even more difficult because the FIPS 140-2 list just isn't that long which lowers the chances of finding just what you need. YMMV