Status of OpenSSL FIPS certification shifts again
- By William Jackson
- Jul 18, 2006
The National Institute of Standards and Technology apparently has backtracked on its revocation of OpenSSL certification under the Federal Information Processing Standard.
OpenSSL, which is managed by the Open Source Software Institute in Hattiesburg, Miss., in January became one of the first open-source software products to be validated under NIST's Computer Module Validation Program for FIPS 140-2. Since then, the certificate has been suspended, then apparently revoked; on Tuesday it was placed back into suspension.
OSSI executive director John Weathersby said he was informed by his third-party certification testing lab that the revocation had been a mistake by NIST.
NIST officials were not available for comment. FIPS certificate 642, which could not be accessed on the CMVP Web site Monday, was back in place
Tuesday afternoon, although it still was marked 'not available,' which means it is not now valid.
If a validation certificate is marked 'not available,' the module is no longer available for procurement, but may still be retained and used to demonstrate compliance to FIPS 140-1 or FIPS 140-2.
OpenSSL is an open-source version of Secure Sockets Layer encryption that can be used by browsers and other programs to securely exchange data. The certification is critical to government use of the software, because FIPS 140-2 validation is required for cryptographic products protecting unclassified but sensitive data.
The suspension took place in June, when questions were raised about the cryptographic module's interaction with software elements outside the certified module. Weathersby said the problems have been corrected and the workaround submitted to the certifying laboratory, Domus IT Security Laboratory of Ottawa, for re-evaluation.
Weathersby said the results of the re-evaluation would be submitted to CMVP for a final review and reinstatement of the certificate.
NIST does not explain CMVP certificate suspensions because the information may be proprietary. But CMVP supervisor Randy Easter said in a written statement that if critical problems are found, agencies would be notified to cease using the module.
NIST does not appear to have issued such a notice with regard to OpenSSL.
William Jackson is a Maryland-based freelance writer.