It's still a question/answer verification system -- why can't they just
submit all the questions and answers in one batch, and then submit bogus
questions and answers in another batch, and then intersperse them in the
third batch?

A check should not take forever and a freakin' day.

-Kyle H
----- Original Message -----
From: "Steve Marquess"
To:
Sent: Friday, September 08, 2006 4:31 AM
Subject: Re: OpenSSL FIPS 140 Support


> Brad House wrote:
> > As far as I am aware, the 1.1 tarball won't be released until validation
> > is complete, and the 1.0 tarball has been removed because the validation
> > has been temporarily 'suspended'.
> >

>
> Correct on both counts (current deployments based on 1.0 can remain in
> use). The release of 1.1 is further complicated by the recent signature
> forgery problem which will require the entire test suite drill to be
> repeated, which will mean further indeterminate delays.
>
> That bug shows where the open source development model and the FIPS
> 140-2 validation process are not a good fit. The lead time for
> correcting and announcing problems in OpenSSL code is usually measured
> in days. The lead time for validating changes is measured in many
> months. Closed source proprietary vendors of course have an enormous
> incentive to skip the announcement step :-)
>
> -Steve M.
>
> --
> Steve Marquess
> Veridical Systems, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD 21710
> 301-524-9915 cell
> 301-831-8447 land/fax
> marquess@veridicalsystems.com
>
>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List openssl-dev@openssl.org
> Automated List Manager majordomo@openssl.org


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org