Talk:FIPS Warnings and Cautions

From OpenSSLWiki
Jump to navigationJump to search

Distribution from Snail Mail CD[edit]

"You must use a source distribution file from an official snail-mailed CD."

I understood it to be the case that you CAN download it, but if you do you MUST verify the HMAC-SHA-1 digest with an independantly validated FIPS 140-2 product. Getting access to such a product may be very difficult for most people!!

Yes, difficult approximating impossible ... see the discussion in Section 6.6 of the FIPS Module User Guide. That discussion summarizes an extensive dialog with the CMVP during which it became clear that no unassailably correct "download" solution was possible (at least for the OpenSSL FIPS Object Module which is held to a different standard than other validations).--Stevem 23:25, 27 January 2014 (UTC)