By William Jackson
The National Institute of Standards and Technology has revoked
certification of the open-source encryption tool OpenSSL under the Federal
Information Processing Standard.
OpenSSL in January became one of the first open-source software products
to be validated under NISTs Computer Module Validation Program for
FIPS-140-2. The certificate apparently was suspended in June when
questions were raised about the validated modules interaction with outside
The revocation caught the Open Source Software Institute, which shepherded
the module through the validation process, by surprise.
I am discouraged with what appears to be another change after
certification has been awarded, said executive director John Weathersby.
It is disheartening after three-and-a-half years of work to have the
certification pulled twice for reasons not clear to us.
On July 14 the CMVP Web site listed the OpenSSL certificate 642 as
revoked. On Monday it was listed as not available. A statement from CMVP
supervisor Randy Easter indicated there is no distinction between the two
If a validation certificate is marked as revoked or not available, the
module validation is no longer valid, the statement said.
FIPS-140-2 certification is required for cryptographic products used by
agencies for unclassified but sensitive information. OpenSSL is an
open-source version of Secure Sockets Layer encryption that can be used by
browsers and other programs to securely exchange data.
The option of using an open-source tool could save agencies money in
software licensing fees.
Our biggest advocate at this point is the Defense Information Systems
Agency, Weathersby said. They are using it.
An official with the Defense Departments Defense Medical Logistics
Standard Support program told GCN when certification was granted that
OpenSSL could save the program hundreds of thousands of dollars.
Weathersby said OpenSSL has been challenged by companies with competing
proprietary encryption technologies, and that those challenges are aided
by the open-source model, which makes source code for the tools publicly
Now the opposing forces have the luxury of going in and trying to pick us
apart, he said. Thats fine. Thats fair. This is about dollars and cents.
This is not about technology.
Those challenges apparently resulted in the original suspension in June.
Weathersby said problems had been corrected in the module and the
workaround submitted to the certifying laboratory, Domus IT Security
Laboratory of Ottawa, for re-evaluation. He had been expecting CMVP to
evaluate the lab results and reinstate the certificate when the notice of
revocation was published on the Web site.
NIST is not saying why the certificate was removed.
The CMVP does not provide information regarding the status or reason as in
many cases it may be proprietary, Easter said in his statement.
Weathersby said OSSI would challenge the revocation and has lined up
funding to pursue recertification.
We are by no means giving up on this, he said. We are frustrated by the
process, but we are not quitting.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.