OpenSSL loses FIPS 140-2 Certification (Or Not)

OhHellWithIt writes "Government Computer News reported on Tuesday that OpenSSL has lost FIPS 140-2 certification, only six months after receiving it. It sounds like bad news for those of us who would like to see open source gain more of a foothold in U.S. federal workplaces." Readers have updated this story with an update saying the certification has shifted again.

Reasons Not Given?

[mr_rattles]

"The CMVP does not provide information regarding the status or reason as in many cases it may be proprietary"

This is one of the most ridiculous statements I've ever read. How is the problem supposed to be fixed if the vendor is never told what the problem is, and so what if it's proprietary? When I read a statement like this it suggests to me that there's doesn't have to be a method behind how they determine what's rejected and what's not, the person(s) deciding could have simply had a proprietary "I'm in a bad mood today and want to take it out on someone" reason.

Politics != Security

[ttfkam]

Weathersby said OpenSSL has been challenged by companies with competing proprietary encryption technologies, and that those challenges are aided by the open-source model, which makes source code for the tools publicly available.

"Now the opposing forces have the luxury of going in and trying to pick us apart," he said. "That's fine. That's fair. This is about dollars and cents. This is not about technology."

This doesn't bother me so much on its face; OpenSSL can only get better after this intense review. What bothers me is that the "opposing forces" are not likely receiving the same level of scrutiny and yet presumably are fully certified for sensitive information by the US government.

But of course they can't release the code for everyone else to review. People might steal their ideas, right? So how do we know they are secure rather than "mostly secure"? Or even worse, that they are "sort of secure, but the right people were taken out to dinner."

Re:Weasel words

[Southpaw018]

It's the government. There is, unfortunately, no reason needed. Bureaucracy is part of the equation.

Re:FOIA? National Security??

[Anonymous Coward]

They have a policy not to publicly disclose this info. This policy was set up for propriatary/closed source vendors. They just continued to follow that policy when dealing with an open source vendor. OpenSSL/OpenBSD will most likely tell the public this info at some point, but it still may be something they want to fix before publishing -- a practice which is common in both open and closed source products/projects.

Re:I'm guessing

[Ana10g]

That, and a myriad of other certifications... I think they make up certifications so that politics can decide what software can be used where... "Your application doesn't meet certification 'X', sorry, we're going to use your competitor's product, (who, btw, funded the creation of the certification)."
I of course, can't really back that up, but that's what it seems like to me.

Re:Stupid Politics

[hey!]

Well, certification should not be viewed as reward, and removing certification should not be a punishment.

It should have nothing to do with the recipient of the certification; it should be based on whether the product meets certain well established and reasonable criteria, given the best information at the time.

Furthermore, it makes sense not to tell the world exactly what the vulnerability you found which caused the product to be decertified, until your agencies can stop using it, which is not overnight.

However.

What doesn't make sense is concealing this from the organization that obtained the certification to begin with, and presumably could save the Federal government much cost and inconvenience by addressing the problem. IN fact, it's terrible.

How can we know this wasn't done as favor to a political contributor?

We can't.

Even before 9/11, the stance of this administration has been that explaining its reasons for doing things -- only in certain situations mind you -- unduly hampered it's ability to get frank and unvarnished advice from industry. Leaving aside that no presidency in living memory ever felt this to be a problem, we have to decide. We either can know that our officials aren't taking payoffs, OR we deprive those officials of advice whose nature is such that if we knew what it was there would be a public scandal.

If that last sentence seems hard to parse, it's because it doesn't make any sense. The underlying premise is absurd: that public officials need to be able to do shameful things.

Re:Reasons Not Given?

[Ginger Unicorn]

i think it's probably that they dont want to give away their analytical procedures, rather than their information gathering procedure, which as you point out you already knew, having gone through it.

think about it, if they told you why they rejected you, you could tell someone else what to do in order to pass that part of the test, thus jeopardising the validity of future tests.