Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL Revalidated Following Suspension

Posted by Zonk on from the can't-keep-a-penguin-down dept.

lisah writes "Despite what looks like an organized effort to prevent it, OpenSSL has been revalidated by an independent testing agency for its ability to securely manage sensitive data and is ready for use by governmental agencies like the Department of Defense. According to the Open Source Software Institute, who has been overseeing the validation process for the last five years (something that typically only takes a few months), it seems that the idea of an open source SSL toolkit didn't sit right with proprietary vendors of similar products. A FUD campaign was launched against OpenSSL that resulted in a temporary suspension of its validation. Developers and volunteers refused to give up the ghost until the validation was reinstated, and Linux.com has the story of the project's long road to success." Linux.com and Slashdot are both owned by OSTG.

2 of 51 comments (clear)

  1. Then let me be the first to answer . . . by mmell · · Score: 5, Insightful
    Non-validated tools are worthless. The likelihood of their being used as tools by any branch of the government (including the banks) is virtually nil today. D'you really think business will follow where the government/banking industry won't go, or end users (with no business or government end-points to connect to)?

    And of course, any moron can "write an insecure application" using any tools. Writing a secure application, OTOH . . .

  2. Misconceptions in the write-up by Cerebus · · Score: 5, Informative

    1. FIPS 140 validations taking a long time is not unusual.

    2. OpenSSL was validated as *source*. All other FIPS 140 validations are of *object code* or devices. This is the first cryptomodule to be validated in source form and contributed to the time taken to validate.

    3. The OpenSSL original cert was suspended because there was a small bit crypto code that resided outside the security boundary. Confusion between sponsor, lab, and NIST contributed to the suspension. See #2.

    4. Claims of vendor FUD are overblown. NSS, another Open Source cryptomodule, already has FIPS 140-1 certification (for version 3.6; 3.11 will be entering FIPS 140-2 eval soon).

    --
    -- Cerebus