OpenSSL loses FIPS 140-2 Certification

OhHellWithIt writes "Government Computer News reported on Tuesday that OpenSSL has lost FIPS 140-2 certification, only six months after receiving it. It sounds like bad news for those of us who would like to see open source gain more of a foothold in U.S. federal workplaces." Readers have updated this story with an update saying the certification has shifted again.

I'm guessing

[PunkOfLinux]

I'm guessing that this certification is necessary if you want your product to be used in the federal government, right???

Re:I'm guessing

[Ana10g]

That, and a myriad of other certifications... I think they make up certifications so that politics can decide what software can be used where... "Your application doesn't meet certification 'X', sorry, we're going to use your competitor's product, (who, btw, funded the creation of the certification)."
I of course, can't really back that up, but that's what it seems like to me.

Stupid Politics

[neonprimetime]

"I am discouraged with what appears to be another change after certification has been awarded," said executive director John Weathersby. "It is disheartening after three-and-a-half years of work to have the certification pulled twice for reasons not clear to us."
... NIST is not saying why the certificate was removed.

Stupid politics.

Re:Stupid Politics

[andrewman327]

Punishing a company and not explaining why? That is just bad business. I imagine it could have to do with national security concerns, but if that were the case, why would they have awarded cert in the first place? Something really does not add up here.

Re:Stupid Politics

[hey!]

Well, certification should not be viewed as reward, and removing certification should not be a punishment.

It should have nothing to do with the recipient of the certification; it should be based on whether the product meets certain well established and reasonable criteria, given the best information at the time.

Furthermore, it makes sense not to tell the world exactly what the vulnerability you found which caused the product to be decertified, until your agencies can stop using it, which is not overnight.

However.

What doesn't make sense is concealing this from the organization that obtained the certification to begin with, and presumably could save the Federal government much cost and inconvenience by addressing the problem. IN fact, it's terrible.

How can we know this wasn't done as favor to a political contributor?

We can't.

Even before 9/11, the stance of this administration has been that explaining its reasons for doing things -- only in certain situations mind you -- unduly hampered it's ability to get frank and unvarnished advice from industry. Leaving aside that no presidency in living memory ever felt this to be a problem, we have to decide. We either can know that our officials aren't taking payoffs, OR we deprive those officials of advice whose nature is such that if we knew what it was there would be a public scandal.

If that last sentence seems hard to parse, it's because it doesn't make any sense. The underlying premise is absurd: that public officials need to be able to do shameful things.

Weasel words

[sharkey]

On July 14 the CMVP Web site listed the OpenSSL certificate 642 as revoked. On Monday it was listed as not available. A statement from CMVP supervisor Randy Easter indicated there is no distinction between the two terms.

Then what honest reason is there for HAVING different terms?

Re:Weasel words

[Southpaw018]

It's the government. There is, unfortunately, no reason needed. Bureaucracy is part of the equation.

Reasons Not Given?

[mr_rattles]

"The CMVP does not provide information regarding the status or reason as in many cases it may be proprietary"

This is one of the most ridiculous statements I've ever read. How is the problem supposed to be fixed if the vendor is never told what the problem is, and so what if it's proprietary? When I read a statement like this it suggests to me that there's doesn't have to be a method behind how they determine what's rejected and what's not, the person(s) deciding could have simply had a proprietary "I'm in a bad mood today and want to take it out on someone" reason.

Re:Reasons Not Given?

They were refering to publicly providing the info. They do provide it to the vendor/developer of the product.
They would not tell the person researching/writing the article why it was revoked.

Re:Reasons Not Given?

[smooth+wombat]

Normal operating procedure. Years ago, when I applied for a position with an unnamed 3-letter agency, I gave them several, double-sided, sheets of information going back ten years. Went through the whole process of urine testing, blood analysis, polygraph (twice), and psychological evaluation (bubble test and actual person). After all was said and done I received notice that I would not proceed to the next stage.

I wrote a letter requesting the specific reason for this and was told that that information was proprietary and might disclose operational procedures.

So let's review. I give them almost 20 pages of documentation, agree that they can ask questions about me from family members, relatives,neighbors, etc., agree to let them do a credit check on me and contact other law enforcement agencies to see if I have a record, answer an entire booklet of psychological questions, undergo two polygraph tests, a blood test and urinalysis and they won't tell me how they came to their decistion because in doing so it might reveal how they gather the information.

Um, yeah.

Re:Reasons Not Given?

Dear Smooth Wombat,
You had heroin in your system and traces of anally absorbed KY Jelly.

Regards,
Three Letter Agency

Re:Reasons Not Given?

[ChrisDolan]

TLA Psych Report for: [Smooth Wombat]
Recommendation: REJECT
Reason:
  Psych models predict subject shows high likelihood
  of revealing operational procedures to Slashdot

Re:Reasons Not Given?

[Ginger+Unicorn]

i think it's probably that they dont want to give away their analytical procedures, rather than their information gathering procedure, which as you point out you already knew, having gone through it.

think about it, if they told you why they rejected you, you could tell someone else what to do in order to pass that part of the test, thus jeopardising the validity of future tests.

I got this in the fips-nis-update mailing list

[Argon]

3:00 pm -- Tuesday, July 18, 2006

http://oss-institute.org/index.php?option=content& task=view&id=166&Itemid=

OpenSSL Module Certification Number 642: back on again...

To: OSSI
From: DOMUS IT Labs
RE: Status of OpenSSL Module (Certification #642)

I received a call this afternoon (Tuesday, July 18, 2006) from the NIST side from the CMVP. They have indicated that certificate #642 had incorrectly been marked as "revoked" during the web site update on Friday 14-Jul-2006. The CMVP has returned the certificate to its "not available" status and posted the following explanation regarding the terminology:

If a validation certificate is marked not available, the module is no longer available for procurement, but may still be retained and used to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

If a validation certificate is marked as revoked, the module validation is no longer valid and may not be referenced to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

Refer to http://csrc.nist.gov/cryptval/140-1/1401val.htm

Updated and resubmission continues on previous schedule.

----
it's never boring, that I can promise you.
stay tuned.
jmw

--
John M. Weathersby, Jr.
Executive Director
Open Source Software Institute
www.oss-institute.org
tel: 601.427.0152

Ad maiorem dei gloriam (AMDG)
Audentes fortuna juvat

Re:I got this in the fips-nis-update mailing list

[Mr.+Hankey]

More interesting is the fact that several commercial products from companies such as Oracle and Cisco rely on OpenSSL. I'm curious to see just how long this will last. My guess is not as long as some people think.

Saving$ are for Sucker$

[digitaldc]

An official with the Defense Department's Defense Medical Logistics Standard Support program told GCN when certification was granted that OpenSSL could save the program hundreds of thousands of dollars.

Just speculating here, but maybe it is due to 'competition' by a high-priced commercial alternative that was pushed through by lobbyists?
Why save US taxpayers hundreds of thousands of dollars when you can benefit yourself and rack up huge profits for your corporate friends?


Further reading: http://www.boston.com/news/local/maine/articles/20 06/07/19/audit_finds_ipods_dog_booties_on_homeland _security_credit_cards/
"Audit finds iPods, dog booties on Homeland Security credit cards By Lara Jakes Jordan, Associated Press Writer | July 19, 2006
WASHINGTON --Wielding government-issued credit cards, Homeland Security employees racked up hundreds of thousands of dollars in unjustified expenses last year, including booties for rescue dogs, iPods, designer rain jackets and beer-making equipment, a congressional audit shows."

FOIA? National Security??

[2phar]

"The CMVP does not provide information regarding the status or reason as in many cases it may be proprietary"

Could someone explain how a flaw discovered in public source code is "proprietary"?!

Are they saying they can't tell anyone what's wrong with it because it would reveal some sort of flaw in SSL to 'terrorists'? Will this stand up to the Freedom of Information Act?

And then.. if the developers via divine intervention determine what the problem is, does this mean they can't put comments in the open source describing it?!

Rediculous.

Re:FOIA? National Security??

[Shanep]

They have a policy not to publicly disclose this info. This policy was set up for propriatary/closed source vendors. They just continued to follow that policy when dealing with an open source vendor. OpenSSL/OpenBSD will most likely tell the public this info at some point, but it still may be something they want to fix before publishing -- a practice which is common in both open and closed source products/projects.

Why would the OpenBSD project make public announcements on behalf of the seperate OpenSSL project? The OpenSSL project cannot speak for themselves?

That's because

[caluml]

That's because they've found the back door I embedded in it while no-one was looking last Christmas. Wait, someone's at the door.

Politics != Security

[ttfkam]

Weathersby said OpenSSL has been challenged by companies with competing proprietary encryption technologies, and that those challenges are aided by the open-source model, which makes source code for the tools publicly available.

"Now the opposing forces have the luxury of going in and trying to pick us apart," he said. "That's fine. That's fair. This is about dollars and cents. This is not about technology."

This doesn't bother me so much on its face; OpenSSL can only get better after this intense review. What bothers me is that the "opposing forces" are not likely receiving the same level of scrutiny and yet presumably are fully certified for sensitive information by the US government.

But of course they can't release the code for everyone else to review. People might steal their ideas, right? So how do we know they are secure rather than "mostly secure"? Or even worse, that they are "sort of secure, but the right people were taken out to dinner."

Re:In current news...

[neonprimetime]

If a validation certificate is marked "not available," the module is no longer available for procurement, but may still be retained and used to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

Weathersby said the problems have been corrected and the workaround submitted to the certifying laboratory, Domus IT Security Laboratory of Ottawa, for re-evaluation.
Weathersby said the results of the re-evaluation would be submitted to CMVP for a final review and reinstatement of the certificate.

Seems like we're in for a wait.