While a lot of people have asked for FIPS over the years, we do realise, in the light of what's happened recently, thinking about FIPS might seem a bit odd. That said, NIST have announced they're trying to reform, and the reality is that FIPS or something like it will be with us for some time to come. While we'd like to say we hope the reform effort goes well, as organisations like NIST if able to do their jobs well are really really useful, we also figure that having Java and C# APIs which was are not only FIPS certified but publically verifiable would be a step in the right direction all round.
There are other issues we are trying to address with this as well, at the moment FIPS still represents a real barrier to organisations and developers trying to build applications which are to talk to Government and other organisations that require FIPS. There has been some success at crossing this barrier with OpenSSL's efforts but it is clear that a few more offerings in the area are really needed. Most of the users of Bouncy Castle would understand that even if FIPS is not required today, some application they're working on in the future may well require FIPS, or a certification related to it. On top of that, a lot of people have invested a lot of time in learning the BC APIs, and it would seem to be to everyone's benefit that they'd be able apply the same knowledge in a FIPS environment as well. From our point of view going through the process might improve our general QA and further ensure that our implementations really are spot on. Of course, we're still going to maintain our regular distributions, so for anyone using the APIs it'll be their decision to be FIPS compliant or not. We are not really interested in telling people what they can and cannot do — we are more an "opportunity creation" type of group.
So just over a week ago, coinciding with our 50th Java release, Charity registration in hand, we decided to launch our fundraiser. Since then we've had 7943 downloads of the various 1.50 artifacts from our main server, and an unknown number from the central maven repostory and our mirror, and we've raised $2,642.34 AUD and 0.004 Bitcoins. I won't mention everything else that's been downloaded as well, but I'm sure you get the idea. While I'd like to thank the people that have donated, it's clearly a bit of a slow start. Obviously we are a bit new at this, and clearly much better programmers than fund raisers!
So, I guess, my scoop is that we are doing a fundraiser, and despite our abilities in the API department and the widespread use of the APIs, we're clearly not doing it very well. It appears almost no one is aware of it! Anyone interested in donating can find the details on the Bouncy Castle website but I would also like to use this opportunity to get some feed back on the whole idea, and what concerns people might have about the changes to how we are now doing things at Bouncy Castle. Some people have suggested that it would be more appropriate for some larger IT companies to be donating, and while we'd certainly appreciate a grand gesture, for us having a broad base of donors is also an important way of maintaining our independence. Having said that, any suggestions about how we might proceed more effectively will also be most welcome and I will follow this track so I can respond to any questions people might have."