Please please read the <a href="UserGuide.pdf">User Guide</a>. Nothing will make sense otherwise (it still may not afterwards, but at least you've a better chance).
-<h2>FIPS what? Where Do I start?</h2>
+<h2>FIPS What? Where Do I Start?</h2>
Ok, so your company needs FIPS validated cryptography to land that big sale, and your product currently uses OpenSSL.
You haven't worked up the motivation to wade through the entire <a href="UserGuide.pdf">User Guide</a> and want the
<p>
<li>If even the tiniest source code or build process changes are required for your intended application, you cannot use
-the open source based validated module directly. You must obtain your own validation. This is a common situation, see "Private
+the open source based validated module directly. You must obtain your own validation. This situation is common; see "Private
Label" validation, below.
<p>
-<li>New FIPS 140-2 validations (of any type) are slow (6-12 months is typical), expensive (USD$50,000 is probably typical for
-an uncomplicated validation), and unpredictable (completion dates are not only uncertain by months when beginning, but ongoing status
-information is scant).
+<li>New FIPS 140-2 validations (of any type) are slow (6-12 months is typical), expensive
+(US$50,000 is probably typical for an uncomplicated validation), and unpredictable
+(completion dates are not only uncertain when first beginning a validation, but remain so
+during the process).
</ul>
-Note FIPS 140-2 validation is a complicated topic that the above summary does not adequately address. You have been warned!
+Note that FIPS 140-2 validation is a complicated topic that the above summary does not adequately address. You have been warned!
<a name="privatelabel">
<h2>The "Private Label" Validation</h2>
</a>
-We refer to validations based directly on the OpenSSL FIPS Object Module as "private label" validations. These are also
-sometimes referred to as "cookie cutter" validations. The usual reason for such separate validations is the need for small
-modifications which forces a complete new validation, but some vendors have for marketing or risk management reasons obtained private label validations for binaries
-produced from unmodified (or only cosmetically modified) source.
+We refer to validations based directly on the OpenSSL FIPS Object Module as
+"private label" validations. These are also sometimes referred to as "cookie cutter"
+validations. The usual reason for such separate validations is the need for small
+modifications which forces a complete new validation, but some vendors,
+for marketing or risk management reasons, have obtained private label validations for binaries
+produced from unmodified (or only cosmetically modified) source code.
<p>
-The OSF would really prefer to work on open source based validations of benefit to the OpenSSL user community at large, but
-financial support for that objective is intermittent at best. On the other hand many vendors are interested in private label
-validations and the OSF will assist in such efforts on a paid basis. We've done enough of these to be very cost competitive
-and for uncomplicated validations will work on a fixed price basis. A routine private label validation on a single commodity
+The OSF would really prefer to work on open source based validations of benefit
+to the OpenSSL user community at large, but financial support for that objective
+is intermittent at best. On the other hand many vendors are interested in private label
+validations and the OSF will assist in such efforts on a paid basis. We've done enough
+of these to be very cost competitive, and for uncomplicated validations we will work
+on a fixed price basis. A routine private label validation on a single commodity
platform can cost as little as
<a href="privatelabel.html">US$30,000</a>.
Private label validations satisfying the U.S. Army "level 2" requirements are also
<font color="#cc3333">Important Note:</font> Due to upcoming changes in the FIPS 140-2 validation requirements the current v1.2 Module will
no longer be a suitable model for private label validations in its current form past the year 2010. See the NIST <a href="http://csrc.nist.gov/groups/STM/cmvp/notices.html">Notices</a>,
<a href="http://csrc.nist.gov/groups/ST/key_mgmt/documents/Transitioning_CryptoAlgos_070209.pdf">discussion paper</a> and
-<a href="http://csrc.nist.gov/publications/drafts/800-131/draft-sp800-131_spd-june2010.pdf">SP 800-131</a>
+<a href="http://csrc.nist.gov/publications/drafts/800-131/draft-sp800-131_spd-june2010.pdf">SP 800-131</a>.
<p>
We hope to address these new changes in the next open source based validation (see below).
financial resources of the OSF. Past validations have been funded by
commercial sector and government sponsors, some identified in published acknowledgments and some not (by request).
<p>
-The OSF assists commercial software vendors with "private label" validations on a regular basis, and in some cases such
-work directly results in FIPS related code improvements. The income from such work also helps OpenSSL team members eat and pay
-the rent and thus indirectly supports all of OpenSSL. However, unless you are one of the companies directly obtaining a custom
-private label validation those improvements don't give you validated cryptography that can be sold in the markets requiring such validation.
+The OSF assists commercial software vendors with "private label" validations on a
+regular basis, and in some cases this work directly results in FIPS related code
+improvements. The income from this work also helps OpenSSL team members eat and pay
+the rent and thus indirectly supports all of OpenSSL. However, unless you are one
+of the companies directly obtaining a custom private label validation, those
+improvements don't give you validated cryptography that can be sold in the markets
+requiring such validation.
<p>
-If and when sufficient sponsor funding materialises we will move quickly and enthusiastically to
+If and when sufficient sponsor funding materialises, we will move quickly and enthusiastically to
obtain a new and updated validation to satisfy the validation requirements then in effect.
Any such plans will be posted here.
<p>
<h1>One Stop Package Deal for Private Label Validations</h1>
-If you haven't already please read our <a href="fipsnotes.html">FIPS 140-2 Notes</a> page.
+If you haven't already
, please read our <a href="fipsnotes.html">FIPS 140-2 Notes</a> page.
<h2>What It Is</h2>
We have found that one of the most popular commercial services offered by the
OpenSSL Software Foundation is the <a href="fipsnotes.html#privatelabel">private label validation</a>. It's not a
business we ever planned to be in, but as the originators of the source code based
-OpenSSL FIPS Object Module validations and with lots of practice we're gotten pretty good at it.
-The revenue we earn from these validations goes to support the OpenSSL project and for some
+OpenSSL FIPS Object Module validations, and with lots of practice, we've gotten pretty good at it.
+The revenue we earn from these validations supports the OpenSSL project, and for some
validations also results in useful additions to the OpenSSL baseline.
<p>
<h2>What You Get</h2>
-For the total fixed price of US$30,000 we will take obtain a Level 1 FIPS 140-2 validation in your name using the
+For the total fixed price of US$30,000 we will obtain a Level 1 FIPS 140-2 validation in your name using the
OpenSSL FIPS Object Module v1.2 (certificate <a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1051">#1051</a>)
with minor modifications for two common platforms. A common platform is a computing device (hardware and operating system)
that is available and familiar to us and the test lab(s). Examples of common platforms are:
<a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm">posted</a> by the CMVP.
<p>
-Within a week of of executing your contract with us your pending validation will also appear on the
+Within a week of executing your contract with us, your pending validation will also appear on the
<a href="http://csrc.nist.gov/groups/STM/cmvp/inprocess.html">pre-val list</a>. The presence of your product on
this list is sufficient to satisfy FIPS 140-2 requirements for some procurements.
<ul>
<li>You have already confirmed that the module generated from the
<a href="../../source/openssl-fips-1.2.tar.gz">OpenSSL FIPS Object Module v1.2</a>
-source distribution, or from a later OpenSSL 0.9.8<em>x</em> distribution, possibly with modifications, works on your platform(s).
+source distribution, or from a later OpenSSL 0.9.8<em>x</em> distribution, possibly
+with modifications, works on your platform(s).
<p>
- <li>Your modifications to the OpenSSL source code, if any, are not "cryptographically significant". Roughly speaking,
- that means the modifications do not affect the actual cryptographic algorithms. Modifications for portability, such
- as changing includes or redefining macros, or changes to the build process such as new compiler or linker options,
- are generally acceptable.
+ <li>Your modifications to the OpenSSL source code, if any, are not "cryptographically
+ significant". Roughly speaking, that means the modifications do not affect the
+ actual cryptographic algorithms. Modifications for portability, such
+ as changing <em>#include</em> statements or redefining macros, or changes to the build process such
+ as new compiler or linker options, are generally acceptable.
<p>
- <li>You application does not require cross-compilation (the build system and the target platform can be the same system),
- <em>or</em> your cross-compiled platform is one for which the complete build process including generation of the
- integrity test digest is already known and tested.
+ <li>Your application does not require cross-compilation (the build system and the
+ target platform can be the same system), <em>or</em> your cross-compiled platform
+ is one for which the complete build process, including generation of the
+ integrity test digest, is already known and tested.
<p>
<li>The actual platform, hardware and software, is either already available to the OSF and the lab or is supplied by you.
We will need at least two complete sets of platform hardware and software for customer provided equipment. This
equipment can be returned once the validation is awarded, though so far customers have preferred
to leave that equipment with us for regression testing of future revisions.
<p>
- <li>You have determined that the performance of the module is satisfactory on your specific target platform. Since the
- original #1051 validation we have made numerous performance enhancements. Some of these can be easily incorporated
+ <li>You have determined that the performance of the module is satisfactory on your
+ specific target platform. We have made numerous performance enhancements
+ since the original #1051 validation. Some of these can be easily incorporated
into routine private label validations and some cannot.
</ul>
<p>
-Note that we can still help you if not all these circumstances apply, we'll just have to look at your specific situation
-more closely.
+Note that we can still help you if not all of these circumstances apply, but we'll
+have to look at your specific situation more closely.
<p>
<hr>
projects / openssl-web.git / commitdiff