Talk:FIPS Warnings and Cautions

From OpenSSLWiki
Revision as of 11:40, 12 March 2014 by Jwalton (talk | contribs) (moved Talk:FIPS:FIPS Warnings and Cautions to Talk:FIPS Warnings and Cautions: Fixed page title)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Distribution from Snail Mail CD[edit]

"You must use a source distribution file from an official snail-mailed CD."

I understood it to be the case that you CAN download it, but if you do you MUST verify the HMAC-SHA-1 digest with an independantly validated FIPS 140-2 product. Getting access to such a product may be very difficult for most people!!

Yes, difficult approximating impossible ... see the discussion in Section 6.6 of the FIPS Module User Guide. That discussion summarizes an extensive dialog with the CMVP during which it became clear that no unassailably correct "download" solution was possible (at least for the OpenSSL FIPS Object Module which is held to a different standard than other validations).--Stevem 23:25, 27 January 2014 (UTC)