Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL loses FIPS 140-2 Certification (Or Not)

Posted by ryuzaki0 on from the edoc-eht-kcarc-t'nod dept.

OhHellWithIt writes "Government Computer News reported on Tuesday that OpenSSL has lost FIPS 140-2 certification, only six months after receiving it. It sounds like bad news for those of us who would like to see open source gain more of a foothold in U.S. federal workplaces." Readers have updated this story with an update saying the certification has shifted again.

6 of 102 comments (clear)

  1. I'm guessing by PunkOfLinux · · Score: 5, Funny

    I'm guessing that this certification is necessary if you want your product to be used in the federal government, right???

    --
    Show this to your friends and family that don't know what a real hacker is
  2. Reasons Not Given? by mr_rattles · · Score: 5, Insightful

    "The CMVP does not provide information regarding the status or reason as in many cases it may be proprietary"

    This is one of the most ridiculous statements I've ever read. How is the problem supposed to be fixed if the vendor is never told what the problem is, and so what if it's proprietary? When I read a statement like this it suggests to me that there's doesn't have to be a method behind how they determine what's rejected and what's not, the person(s) deciding could have simply had a proprietary "I'm in a bad mood today and want to take it out on someone" reason.

    --
    Erik http://yakko.cs.wmich.edu/~rattles
    1. Re:Reasons Not Given? by smooth+wombat · · Score: 4, Interesting

      Normal operating procedure. Years ago, when I applied for a position with an unnamed 3-letter agency, I gave them several, double-sided, sheets of information going back ten years. Went through the whole process of urine testing, blood analysis, polygraph (twice), and psychological evaluation (bubble test and actual person). After all was said and done I received notice that I would not proceed to the next stage.

      I wrote a letter requesting the specific reason for this and was told that that information was proprietary and might disclose operational procedures.

      So let's review. I give them almost 20 pages of documentation, agree that they can ask questions about me from family members, relatives,neighbors, etc., agree to let them do a credit check on me and contact other law enforcement agencies to see if I have a record, answer an entire booklet of psychological questions, undergo two polygraph tests, a blood test and urinalysis and they won't tell me how they came to their decistion because in doing so it might reveal how they gather the information.

      Um, yeah.

      --
      We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
    2. Re:Reasons Not Given? by ChrisDolan · · Score: 4, Funny

      TLA Psych Report for: [Smooth Wombat]
      Recommendation: REJECT
      Reason:
        Psych models predict subject shows high likelihood
        of revealing operational procedures to Slashdot

  3. I got this in the fips-nis-update mailing list by Argon · · Score: 5, Informative

    3:00 pm -- Tuesday, July 18, 2006

    http://oss-institute.org/index.php?option=content& task=view&id=166&Itemid=

    OpenSSL Module Certification Number 642: back on again...

    To: OSSI
    From: DOMUS IT Labs
    RE: Status of OpenSSL Module (Certification #642)

    I received a call this afternoon (Tuesday, July 18, 2006) from the NIST side from the CMVP. They have indicated that certificate #642 had incorrectly been marked as "revoked" during the web site update on Friday 14-Jul-2006. The CMVP has returned the certificate to its "not available" status and posted the following explanation regarding the terminology:

    If a validation certificate is marked not available, the module is no longer available for procurement, but may still be retained and used to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

    If a validation certificate is marked as revoked, the module validation is no longer valid and may not be referenced to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

    Refer to http://csrc.nist.gov/cryptval/140-1/1401val.htm

    Updated and resubmission continues on previous schedule.

    ----
    it's never boring, that I can promise you.
    stay tuned.
    jmw

    --
    John M. Weathersby, Jr.
    Executive Director
    Open Source Software Institute
    www.oss-institute.org
    tel: 601.427.0152

    Ad maiorem dei gloriam (AMDG)
    Audentes fortuna juvat

  4. Politics != Security by ttfkam · · Score: 4, Insightful
    Weathersby said OpenSSL has been challenged by companies with competing proprietary encryption technologies, and that those challenges are aided by the open-source model, which makes source code for the tools publicly available.

    "Now the opposing forces have the luxury of going in and trying to pick us apart," he said. "That's fine. That's fair. This is about dollars and cents. This is not about technology."

    This doesn't bother me so much on its face; OpenSSL can only get better after this intense review. What bothers me is that the "opposing forces" are not likely receiving the same level of scrutiny and yet presumably are fully certified for sensitive information by the US government.

    But of course they can't release the code for everyone else to review. People might steal their ideas, right? So how do we know they are secure rather than "mostly secure"? Or even worse, that they are "sort of secure, but the right people were taken out to dinner."
    --

    - I don't need to go outside, my CRT tan'll do me just fine.