OpenSSL Revalidated Following Suspension 51
lisah writes "Despite what looks like an organized effort to prevent it, OpenSSL has been revalidated by an independent testing agency for its ability to securely manage sensitive data and is ready for use by governmental agencies like the Department of Defense. According to the Open Source Software Institute, who has been overseeing the validation process for the last five years (something that typically only takes a few months), it seems that the idea of an open source SSL toolkit didn't sit right with proprietary vendors of similar products. A FUD campaign was launched against OpenSSL that resulted in a temporary suspension of its validation. Developers and volunteers refused to give up the ghost until the validation was reinstated, and Linux.com has the story of the project's long road to success." Linux.com and Slashdot are both owned by OSTG.
Misconceptions in the write-up (Score:5, Informative)
2. OpenSSL was validated as *source*. All other FIPS 140 validations are of *object code* or devices. This is the first cryptomodule to be validated in source form and contributed to the time taken to validate.
3. The OpenSSL original cert was suspended because there was a small bit crypto code that resided outside the security boundary. Confusion between sponsor, lab, and NIST contributed to the suspension. See #2.
4. Claims of vendor FUD are overblown. NSS, another Open Source cryptomodule, already has FIPS 140-1 certification (for version 3.6; 3.11 will be entering FIPS 140-2 eval soon).
Re:Please list the LibTom projects in question . . (Score:2, Informative)
The DoD policy which requires the FIPS validation process for programs such as OpenSSL is the National Security Telecommunication and Information Systems Security Policy Number 11 (NSTISSP No. 11). Overview can be found here: http://www.enpointe.com/security/pdf/nstissp11_fa
In short, it states that for govt/DoD to purchase/acquire any Information Assurance (IA) or IA-enabled products, they must pass through the appropriate validation process (Federal Information Processing Standards-FIPS, or Common Criteria-CC).
On a technical side, the validation process only verifies that the product performs as designed/advertised. It simply verifies or validates the products claims.
From an acquisition/implementation side, it is critically important because it is "required" if a product is to used within specified DoD systems. It is the check in the box which even allows a product to be openly considered within these stringent environments.
Does this mean that there are such programs running inside DoD/govt environments which have not gone through such validation efforts...sure there are. Until now, OpenSSL was one of those products.
But, to promote and encourage the open adoption of open source programs, such as OpenSSL or Linux (of which both RH and SuSE have passed through CC), then they must pass through the same tests as other similar (most of the time proprietary) product offerings. We (in the Open Source Community) talk about wanting a "level playing field," well this is part of that process of achieving it. A level playing field is a two-edged sword, so if that's what you want, which we do, then you've got to take the challenges along with the opportunities. Those are the rules.
regards,
jmw
who were behind the complaints .. (Score:5, Informative)
'While OSSI was not able to review each complaint the CMVP received, the ones they did see often contained redacted, or blacked-out, data about who had filed the complaint. Some documents, however, did reveal the complainant information, and Weathersby says that is how the OSSI became aware that, in some cases, proprietary software vendors [linux.com] were lodging the complaints'
It was not a cheap process either... (Score:4, Informative)
http://groups.google.com/group/mailing.openssl.us