Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL loses FIPS 140-2 Certification (Or Not)

Posted by ryuzaki0 on from the edoc-eht-kcarc-t'nod dept.

OhHellWithIt writes "Government Computer News reported on Tuesday that OpenSSL has lost FIPS 140-2 certification, only six months after receiving it. It sounds like bad news for those of us who would like to see open source gain more of a foothold in U.S. federal workplaces." Readers have updated this story with an update saying the certification has shifted again.

5 of 102 comments (clear)

  1. Stupid Politics by neonprimetime · · Score: 3, Interesting

    "I am discouraged with what appears to be another change after certification has been awarded," said executive director John Weathersby. "It is disheartening after three-and-a-half years of work to have the certification pulled twice for reasons not clear to us."
    ... NIST is not saying why the certificate was removed.

    Stupid politics.

    1. Re:Stupid Politics by andrewman327 · · Score: 3, Interesting

      Punishing a company and not explaining why? That is just bad business. I imagine it could have to do with national security concerns, but if that were the case, why would they have awarded cert in the first place? Something really does not add up here.

      --
      Information wants a fueled airplane waiting at the hangar and no one gets hurt.
  2. Re:In current news... by neonprimetime · · Score: 3, Interesting

    If a validation certificate is marked "not available," the module is no longer available for procurement, but may still be retained and used to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

    Weathersby said the problems have been corrected and the workaround submitted to the certifying laboratory, Domus IT Security Laboratory of Ottawa, for re-evaluation.
    Weathersby said the results of the re-evaluation would be submitted to CMVP for a final review and reinstatement of the certificate.

    Seems like we're in for a wait.

  3. Re:Reasons Not Given? by smooth+wombat · · Score: 4, Interesting

    Normal operating procedure. Years ago, when I applied for a position with an unnamed 3-letter agency, I gave them several, double-sided, sheets of information going back ten years. Went through the whole process of urine testing, blood analysis, polygraph (twice), and psychological evaluation (bubble test and actual person). After all was said and done I received notice that I would not proceed to the next stage.

    I wrote a letter requesting the specific reason for this and was told that that information was proprietary and might disclose operational procedures.

    So let's review. I give them almost 20 pages of documentation, agree that they can ask questions about me from family members, relatives,neighbors, etc., agree to let them do a credit check on me and contact other law enforcement agencies to see if I have a record, answer an entire booklet of psychological questions, undergo two polygraph tests, a blood test and urinalysis and they won't tell me how they came to their decistion because in doing so it might reveal how they gather the information.

    Um, yeah.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  4. Re:I got this in the fips-nis-update mailing list by Mr.+Hankey · · Score: 2, Interesting

    More interesting is the fact that several commercial products from companies such as Oracle and Cisco rely on OpenSSL. I'm curious to see just how long this will last. My guess is not as long as some people think.

    --
    GPL: Free as in will