OpenSSL loses FIPS 140-2 Certification (Or Not)

← Back to Stories (view on slashdot.org)

OpenSSL loses FIPS 140-2 Certification (Or Not)

Posted by ryuzaki0 on Wednesday July 19, 2006 @02:40AM from the edoc-eht-kcarc-t'nod dept.

OhHellWithIt writes "Government Computer News reported on Tuesday that OpenSSL has lost FIPS 140-2 certification, only six months after receiving it. It sounds like bad news for those of us who would like to see open source gain more of a foothold in U.S. federal workplaces." Readers have updated this story with an update saying the certification has shifted again.

3 of 102 comments (clear)

Min score:

Reason:

Sort:

I'm guessing by PunkOfLinux · 2006-07-19 02:44 · Score: 5, Funny

I'm guessing that this certification is necessary if you want your product to be used in the federal government, right???

--
Show this to your friends and family that don't know what a real hacker is
Reasons Not Given? by mr_rattles · 2006-07-19 02:49 · Score: 5, Insightful

"The CMVP does not provide information regarding the status or reason as in many cases it may be proprietary"

This is one of the most ridiculous statements I've ever read. How is the problem supposed to be fixed if the vendor is never told what the problem is, and so what if it's proprietary? When I read a statement like this it suggests to me that there's doesn't have to be a method behind how they determine what's rejected and what's not, the person(s) deciding could have simply had a proprietary "I'm in a bad mood today and want to take it out on someone" reason.

--
Erik http://yakko.cs.wmich.edu/~rattles
I got this in the fips-nis-update mailing list by Argon · 2006-07-19 02:50 · Score: 5, Informative

3:00 pm -- Tuesday, July 18, 2006

http://oss-institute.org/index.php?option=content& task=view&id=166&Itemid=

OpenSSL Module Certification Number 642: back on again...

To: OSSI
From: DOMUS IT Labs
RE: Status of OpenSSL Module (Certification #642)

I received a call this afternoon (Tuesday, July 18, 2006) from the NIST side from the CMVP. They have indicated that certificate #642 had incorrectly been marked as "revoked" during the web site update on Friday 14-Jul-2006. The CMVP has returned the certificate to its "not available" status and posted the following explanation regarding the terminology:

If a validation certificate is marked not available, the module is no longer available for procurement, but may still be retained and used to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

If a validation certificate is marked as revoked, the module validation is no longer valid and may not be referenced to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

Refer to http://csrc.nist.gov/cryptval/140-1/1401val.htm

Updated and resubmission continues on previous schedule.

----
it's never boring, that I can promise you.
stay tuned.
jmw

--
John M. Weathersby, Jr.
Executive Director
Open Source Software Institute
www.oss-institute.org
tel: 601.427.0152

Ad maiorem dei gloriam (AMDG)
Audentes fortuna juvat