Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL loses FIPS 140-2 Certification (Or Not)

Posted by ryuzaki0 on from the edoc-eht-kcarc-t'nod dept.

OhHellWithIt writes "Government Computer News reported on Tuesday that OpenSSL has lost FIPS 140-2 certification, only six months after receiving it. It sounds like bad news for those of us who would like to see open source gain more of a foothold in U.S. federal workplaces." Readers have updated this story with an update saying the certification has shifted again.

5 of 102 comments (clear)

  1. I got this in the fips-nis-update mailing list by Argon · · Score: 5, Informative

    3:00 pm -- Tuesday, July 18, 2006

    http://oss-institute.org/index.php?option=content& task=view&id=166&Itemid=

    OpenSSL Module Certification Number 642: back on again...

    To: OSSI
    From: DOMUS IT Labs
    RE: Status of OpenSSL Module (Certification #642)

    I received a call this afternoon (Tuesday, July 18, 2006) from the NIST side from the CMVP. They have indicated that certificate #642 had incorrectly been marked as "revoked" during the web site update on Friday 14-Jul-2006. The CMVP has returned the certificate to its "not available" status and posted the following explanation regarding the terminology:

    If a validation certificate is marked not available, the module is no longer available for procurement, but may still be retained and used to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

    If a validation certificate is marked as revoked, the module validation is no longer valid and may not be referenced to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

    Refer to http://csrc.nist.gov/cryptval/140-1/1401val.htm

    Updated and resubmission continues on previous schedule.

    ----
    it's never boring, that I can promise you.
    stay tuned.
    jmw

    --
    John M. Weathersby, Jr.
    Executive Director
    Open Source Software Institute
    www.oss-institute.org
    tel: 601.427.0152

    Ad maiorem dei gloriam (AMDG)
    Audentes fortuna juvat

  2. Saving$ are for Sucker$ by digitaldc · · Score: 3, Informative

    An official with the Defense Department's Defense Medical Logistics Standard Support program told GCN when certification was granted that OpenSSL could save the program hundreds of thousands of dollars.

    Just speculating here, but maybe it is due to 'competition' by a high-priced commercial alternative that was pushed through by lobbyists?
    Why save US taxpayers hundreds of thousands of dollars when you can benefit yourself and rack up huge profits for your corporate friends?


    Further reading: http://www.boston.com/news/local/maine/articles/20 06/07/19/audit_finds_ipods_dog_booties_on_homeland _security_credit_cards/
    "Audit finds iPods, dog booties on Homeland Security credit cards By Lara Jakes Jordan, Associated Press Writer | July 19, 2006
    WASHINGTON --Wielding government-issued credit cards, Homeland Security employees racked up hundreds of thousands of dollars in unjustified expenses last year, including booties for rescue dogs, iPods, designer rain jackets and beer-making equipment, a congressional audit shows."

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  3. FOIA? National Security?? by 2phar · · Score: 3, Informative

    "The CMVP does not provide information regarding the status or reason as in many cases it may be proprietary"

    Could someone explain how a flaw discovered in public source code is "proprietary"?!

    Are they saying they can't tell anyone what's wrong with it because it would reveal some sort of flaw in SSL to 'terrorists'? Will this stand up to the Freedom of Information Act?

    And then.. if the developers via divine intervention determine what the problem is, does this mean they can't put comments in the open source describing it?!

    Rediculous.

    1. Re:FOIA? National Security?? by Shanep · · Score: 2, Informative

      They have a policy not to publicly disclose this info. This policy was set up for propriatary/closed source vendors. They just continued to follow that policy when dealing with an open source vendor. OpenSSL/OpenBSD will most likely tell the public this info at some point, but it still may be something they want to fix before publishing -- a practice which is common in both open and closed source products/projects.

      Why would the OpenBSD project make public announcements on behalf of the seperate OpenSSL project? The OpenSSL project cannot speak for themselves?

      --
      War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
  4. Re:Reasons Not Given? by Anonymous Coward · · Score: 2, Informative

    They were refering to publicly providing the info. They do provide it to the vendor/developer of the product.
    They would not tell the person researching/writing the article why it was revoked.