Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL Revalidated Following Suspension

Posted by Zonk on from the can't-keep-a-penguin-down dept.

lisah writes "Despite what looks like an organized effort to prevent it, OpenSSL has been revalidated by an independent testing agency for its ability to securely manage sensitive data and is ready for use by governmental agencies like the Department of Defense. According to the Open Source Software Institute, who has been overseeing the validation process for the last five years (something that typically only takes a few months), it seems that the idea of an open source SSL toolkit didn't sit right with proprietary vendors of similar products. A FUD campaign was launched against OpenSSL that resulted in a temporary suspension of its validation. Developers and volunteers refused to give up the ghost until the validation was reinstated, and Linux.com has the story of the project's long road to success." Linux.com and Slashdot are both owned by OSTG.

3 of 51 comments (clear)

  1. Misconceptions in the write-up by Cerebus · · Score: 5, Informative

    1. FIPS 140 validations taking a long time is not unusual.

    2. OpenSSL was validated as *source*. All other FIPS 140 validations are of *object code* or devices. This is the first cryptomodule to be validated in source form and contributed to the time taken to validate.

    3. The OpenSSL original cert was suspended because there was a small bit crypto code that resided outside the security boundary. Confusion between sponsor, lab, and NIST contributed to the suspension. See #2.

    4. Claims of vendor FUD are overblown. NSS, another Open Source cryptomodule, already has FIPS 140-1 certification (for version 3.6; 3.11 will be entering FIPS 140-2 eval soon).

    --
    -- Cerebus
  2. who were behind the complaints .. by rs232 · · Score: 4, Informative

    "We called it the FUD campaign," he says. "There were all kinds of complaints sent to the CMVP including one about 'Commie code.'"

    'While OSSI was not able to review each complaint the CMVP received, the ones they did see often contained redacted, or blacked-out, data about who had filed the complaint. Some documents, however, did reveal the complainant information, and Weathersby says that is how the OSSI became aware that, in some cases, proprietary software vendors were lodging the complaints'

    --
    davecb5620@gmail.com
  3. It was not a cheap process either... by wherrera · · Score: 4, Informative

    It seems to have cost over US$ 120,000 (by 2006) to certify, not including volunteer hours:

    http://groups.google.com/group/mailing.openssl.use rs/browse_frm/thread/7aa07e7a6ba9bbe8/d3c4113f0a49 998a?lnk=st&q=cost+FIPS+certification&rnum=3&hl=en #d3c4113f0a49998a