Via Linux.com -
After a long and arduous journey that included a suspended validation last year, the Open Source Software Institute (OSSI) has announced that OpenSSL has regained its FIPS 140-2 validation and is now available for download. The validation process, which normally lasts a few months, took an astounding five years to complete, and those involved with the projects say they are already devising ways to avoid such long delays in future validations.
OpenSSL is an open source toolkit that allows programs to securely exchange data in the same fashion as proprietary versions of Secure Sockets Layer encryption. It is licensed under an "Apache-style" license that allows users to download the toolkit at no cost, freely distribute it, and use it for both commercial and non-commercial purposes. The tarball, complete source code, security policy, and all documentation is now available on the OpenSSL Web site. Developers are currently working on a user's guide and plan to make it available in the upcoming weeks.
In order for governmental agencies like the Department of Defense to use open source software to manage sensitive data, federal regulations state its security must be validated by the Computer Module Validation Program (CMVP). The CMVP is a joint venture between the US National Institute of Standards and Technology (NIST) and the Canadian agency Communications Security Establishment (CSE). OpenSSL's validation process was managed by the OSSI, whose goal is to encourage the use and development of open source software within educational and governmental agencies.
One reason OpenSSL's validation took so long is because of the new testing approach the CMVP devised to ensure the security of the software. The validation process usually involves testing binary modules for software applications, but that was not a practical approach for testing this particular toolkit. OpenSSL users may, in some cases, opt to compile their own versions, while others will choose a precompiled version. As a result, the software may behave differently according to how it is compiled, necessitating that the CMVP test the source code itself instead of just binary modules. "It's a unique validation," says OSSI technical project manager Steve Marquess. "We did several things for the first time that required a long learning curve for both us and CMVP."
Validating source code wasn't the only thing gumming up the works for OpenSSL. According to John Weathersby, executive director for OSSI, several proprietary software companies with similar products mounted a campaign to delay, if not totally derail, the validation of an open source SSL toolkit. Weathersby suggests that perhaps some vendors of proprietary software felt threatened by the idea that free SSL software that had been validated for government use would undercut their ability to sell similar products to government agencies and decided to interfere with the validation process.
No comments:
Post a Comment