Kyle Hamilton wrote:
> As has been mentioned numerous times by Steve Marquess, the FIPS
> validation process is fraught with peril. It is entirely, from what I
> gather, rather like playing Chutes & Ladders with a constantly-changing
> board.

I have been holding off on making any announcements regarding v1.1.2,
hoping to have something definitive to report. But every time we think
we might know what's happening the situation changes. At present, it
appears the time-line for (re)validation of v1.1.2 is an uncertain as
ever. The review questions we're getting from the CMVP for this "fast
track" validation imply they will require additional changes to meet new
requirements not in effect when the original validation was awarded.
That work would have to occur at the expense of the v1.2 validation,
should we elect to make that painful trade-off. With the #733
validation effectively revoked for over a month it seems to me that much
of the damage has already been done; many or most of those vendors and
users impacted by that revocation have probably already been forced to
pursue other alternatives to waiting for the approval of the
vulnerability patch.

Currently, we are weighing our options to determine how to best use our
resources to provide the greatest benefit through these validation
efforts. We'd also like to acknowledge the continued commitment of
DOMUS, the IT security lab for this project, and representatives from
the development and vendor communities who have continued give so much
of their time and resources to this effort.

> There cannot be any effective estimate of when it may be done; the best
> estimate is equally likely to be 'next month' as it is to be '2018'..

Kyle's answer is as good as any I could give.

-Steve M.

Steve Marquess
Open Source Software Institute

__________________________________________________ ____________________
OpenSSL Project
User Support Mailing List
Automated List Manager