LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Announcements page

Recent Features

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

OpenSSL secures new FIPS validation

[Posted February 8, 2007 by cook]

From:  John Weathersby <jmw-AT-oss-institute.org>
To:  pr-AT-lwn.net
Subject:  press info: OpenSSL Secures New FIPS Validation
Date:  Thu, 08 Feb 2007 15:23:45 -0600

Contact: 
John Weathersby, Open Source Software Institute
jmw@oss-institute.org

               OpenSSL Secures New FIPS 140-2 Validation

              Open Source Cryptographic Module Once Again 

              Available for Government Adoption and Usage


Hattiesburg, MS Wednesday, February 7, 2007 The Open Source Software
Institute (OSSI) announced today the FIPS 140-2 validation of the
OpenSSL FIPS Object Module, a cryptographic library based on the widely
used OpenSSL product. The official validation certificate (#733) is now
posted at the NIST FIPS 140-1 and 140-2 Cryptographic Modules Validation
List (http://csrc.nist.gov/cryptval/140-1/1401val2007.htm).

The OpenSSL FIPS Object Module is freely available and can be downloaded
immediately athttp://www.openssl.org/source/openssl-fips-1.1.1.tar.gz.
The OpenSSL FIPS Object Module Security Policy and User Guide are also
available for download through the OSSI website (www.oss-institute.org)
and may be used and reproduced without restriction. 

--------------------------

Why this is important to government, IT and open source readers:

1) Information Assurance (IA) programs/modules, such as OpenSSL, must
achieve government validation (FIPS & Common Criteria) before they can
be acquired or used within Dept of Defense systems.  (govt policy which
regulates this is the National Security Telecommunications and
Information Systems Security Policy (NSTISSP) Number 11)

2) FIPS validation demonstrates validity, durability and security of the
open source OpenSSL crypto module...as secure as any comparable
"commercial version" validated module.  Strict scrutiny of the
transparent, open source code caused some delays, but outcome resulted
in the most thoroughly viewed and tested module available.

3) Validation demonstrated the efficient nature of the open source
development model. Updates and modification were made in hours, not days
or months.

4) Cost benefit to all government, industry and private developers and
implementers who wish to adopt the open source OpenSSL Object module.
It is freely available, as it has already been paid for by DoD and
industry sponsors.

5) All documentation (Security Guide and User Policy) is being made
freely available for download or reuse without restriction.  Also, the
test vectors will be released so that others who wish to undertake a
similar validation effort will have documentation and reference
materials.  This too, is viewed as part of the original package and paid
for by DoD and other sponsoring entities.

For additional information, please contact: 
John Weathersby, OSSI tel: 601.427.0152


John M. Weathersby, Jr.
Executive Director
Open Source Software Institute
National Center for Open Source 
Policy and Research
tel: 601.427.0152

Ad maiorem dei gloriam (AMDG)
Audentes fortuna juvat
(fortune favors the bold)
(Log in to post comments)

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds