Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL Revalidated Following Suspension

Posted by Zonk on from the can't-keep-a-penguin-down dept.

lisah writes "Despite what looks like an organized effort to prevent it, OpenSSL has been revalidated by an independent testing agency for its ability to securely manage sensitive data and is ready for use by governmental agencies like the Department of Defense. According to the Open Source Software Institute, who has been overseeing the validation process for the last five years (something that typically only takes a few months), it seems that the idea of an open source SSL toolkit didn't sit right with proprietary vendors of similar products. A FUD campaign was launched against OpenSSL that resulted in a temporary suspension of its validation. Developers and volunteers refused to give up the ghost until the validation was reinstated, and Linux.com has the story of the project's long road to success." Linux.com and Slashdot are both owned by OSTG.

3 of 51 comments (clear)

  1. Re:Let me be the first to say... by tomstdenis · · Score: 2, Interesting

    Given that I'm doing NIST certification right now, I can assure you it's meaningless. They basically throw a bunch of vectors at you, you reply, if you get it right they give you a cert # and list you on some website.

    The only reason ANYONE does this is so they can get on that website. Getting a compliant AES routine isn't hard. There are dozens of implementation under BSD, MIT, GPL, and various other FLOSS [including public domain]. That you picked an AESVS certified implementation doesn't mean you're application is "better".

    In fact, AESVS does not mandate any implementation details other than it outputs the right ciphertext.

    The FIPS-140 series are a bit diff, but overall it's still a meaningless gesture.

    Tom

    --
    Someday, I'll have a real sig.
  2. Re:Please list the LibTom projects in question . . by tomstdenis · · Score: 2, Interesting

    My projects are public domain. I stand to lose nothing if they stopped using them.

    Note I should have been clearer. I said they use them, I didn't mean specifically they end up in actual fielded projects (because I don't know about the latter). But logically from the logs and support emails I get from various organizations they're at least using it for something. I do know that some folk at NIST used the projects testing CCM implementations. Heard that from former employees.

    Point is, non-validated code is used to do work.

    Tom

    --
    Someday, I'll have a real sig.
  3. m$^8 by Anonymous Coward · · Score: 1, Interesting

    Was this also sponsored by microsoft or was it some other biggie this time?

    Oh wait, there are no other hostile biggies.