OpenSSL loses FIPS 140-2 Certification

OhHellWithIt writes "Government Computer News reported on Tuesday that OpenSSL has lost FIPS 140-2 certification, only six months after receiving it. It sounds like bad news for those of us who would like to see open source gain more of a foothold in U.S. federal workplaces." Readers have updated this story with an update saying the certification has shifted again.

I got this in the fips-nis-update mailing list

[Argon]

3:00 pm -- Tuesday, July 18, 2006

http://oss-institute.org/index.php?option=content& task=view&id=166&Itemid=

OpenSSL Module Certification Number 642: back on again...

To: OSSI
From: DOMUS IT Labs
RE: Status of OpenSSL Module (Certification #642)

I received a call this afternoon (Tuesday, July 18, 2006) from the NIST side from the CMVP. They have indicated that certificate #642 had incorrectly been marked as "revoked" during the web site update on Friday 14-Jul-2006. The CMVP has returned the certificate to its "not available" status and posted the following explanation regarding the terminology:

If a validation certificate is marked not available, the module is no longer available for procurement, but may still be retained and used to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

If a validation certificate is marked as revoked, the module validation is no longer valid and may not be referenced to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

Refer to http://csrc.nist.gov/cryptval/140-1/1401val.htm

Updated and resubmission continues on previous schedule.

----
it's never boring, that I can promise you.
stay tuned.
jmw

--
John M. Weathersby, Jr.
Executive Director
Open Source Software Institute
www.oss-institute.org
tel: 601.427.0152

Ad maiorem dei gloriam (AMDG)
Audentes fortuna juvat