OpenSSL loses FIPS 140-2 Certification

OhHellWithIt writes "Government Computer News reported on Tuesday that OpenSSL has lost FIPS 140-2 certification, only six months after receiving it. It sounds like bad news for those of us who would like to see open source gain more of a foothold in U.S. federal workplaces." Readers have updated this story with an update saying the certification has shifted again.

Reasons Not Given?

[mr_rattles]

"The CMVP does not provide information regarding the status or reason as in many cases it may be proprietary"

This is one of the most ridiculous statements I've ever read. How is the problem supposed to be fixed if the vendor is never told what the problem is, and so what if it's proprietary? When I read a statement like this it suggests to me that there's doesn't have to be a method behind how they determine what's rejected and what's not, the person(s) deciding could have simply had a proprietary "I'm in a bad mood today and want to take it out on someone" reason.

Politics != Security

[ttfkam]

Weathersby said OpenSSL has been challenged by companies with competing proprietary encryption technologies, and that those challenges are aided by the open-source model, which makes source code for the tools publicly available.

"Now the opposing forces have the luxury of going in and trying to pick us apart," he said. "That's fine. That's fair. This is about dollars and cents. This is not about technology."

This doesn't bother me so much on its face; OpenSSL can only get better after this intense review. What bothers me is that the "opposing forces" are not likely receiving the same level of scrutiny and yet presumably are fully certified for sensitive information by the US government.

But of course they can't release the code for everyone else to review. People might steal their ideas, right? So how do we know they are secure rather than "mostly secure"? Or even worse, that they are "sort of secure, but the right people were taken out to dinner."