Brad House wrote:
> As far as I am aware, the 1.1 tarball won't be released until validation
> is complete, and the 1.0 tarball has been removed because the validation
> has been temporarily 'suspended'.
>


Correct on both counts (current deployments based on 1.0 can remain in
use). The release of 1.1 is further complicated by the recent signature
forgery problem which will require the entire test suite drill to be
repeated, which will mean further indeterminate delays.

That bug shows where the open source development model and the FIPS
140-2 validation process are not a good fit. The lead time for
correcting and announcing problems in OpenSSL code is usually measured
in days. The lead time for validating changes is measured in many
months. Closed source proprietary vendors of course have an enormous
incentive to skip the announcement step :-)

-Steve M.

--
Steve Marquess
Veridical Systems, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
301-524-9915 cell
301-831-8447 land/fax
marquess@veridicalsystems.com


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org