NIST zrušil FIPS certifikaci OpenSSL

"It is disheartening after three-and-a-half years of work to have the certification pulled twice for reasons not clear to us." ... Weathersby said problems had been corrected in the module and the workaround submitted to the certifying laboratory, Domus IT Security Laboratory of Ottawa, for re-evaluation. He had been expecting CMVP to evaluate the lab results and reinstate the certificate when the notice of revocation was published on the Web site. NIST is not saying why the certificate was removed.

Tipnem si ze to najskor bolo tak, ze niektore firmy chceli (vlada?) odstranit konkurenta (OpenSSL) z trhu, tak sa snazili tam najst nejaku zamienku v kode, comu by odpovedalo aj cele to tajnostkarstvo zo strany NIST.

Existuje napr. open-source Crypto++ kniznica, ktora ma FIPS-140-2 level 1 certifikaciu, ale ta asi (zatial) nikomu nekonkuruje.

BTW, FIPS certifikacia sa da udelit len na prelozeny kod, takze tam mohli vymysliet nejake cachre a zatiahnut do toho prekladac/linker/loader zdielanych kniznic, atd.

Krachujici Baltimore a jim podobni. Vzdycky se hodi mit o "konkurenta" mene. Co si nezaplati, to pospini a poslapou, ale tak to je prece se vsim - cemu se divite? Byt neni OpenSSL to nejlepsi a nejbezpecnejsi reseni, je otevrene, zdarma a narozdil od komerce poskytuje stavajicim uzivatelum prinejmensim zaruky na moznost pokracovani vyvoje (vlastni/kymkoli) pokud by od toho soucasni lide upustili. To vite, nas "komunisticky" SW svoji komercni "nesportovnosti" (muze byt zdarma) mnohe pekne prudi! :)))

Jj, zhruba to som myslel. Akurat k tej poslednej vete - mam taky "tusak", ze za tym bude este nieco viac. Aj ked nerozumiem, co myslite spojenim "krachujuci Baltimore" (NIST spolupracuje s niekolkymi instituciami v Baltimore ale sam v Baltimore nie je (?)).

Baltimore je tu myslena firma, nie mesto...