OpenSSH use of OpenSSL in FIPS Mode

Steve Marquess marquess at
Tue Mar 6 23:13:46 EST 2007

Joshua Hill wrote:
> ...
> I think that we agree that one could design a module that does implement
> all of the security relevant portions of a protocol.  Is it done in the
> case of Microsoft's Kernel Module?  I have no idea, and I wouldn't care
> to speculate.
> ...

A tangential observation to your discussion with Dr. Kladko: you are in 
effect saying that open source software should be held to a higher 
standard than proprietary software.

During the five year process that led to the OpenSSL FIPS Object Module 
validation (#733), we were subjected to repeated challenges from 
anonymous "interested parties", each of which had to be painstakingly 
addressed. Each of which delayed the process. The end result was a 
better product, or at least a higher comfort level for the CMVP, but at 
the cost of a validated result now obsolescent to the point of near 
irrelevance for commercial purposes (fortunately OSSI now has the 
financial backing to pursue additional validations of more current 

Dr. Kaldko is pointing out that the actual practice of FIPS 140-2, and 
claims of validation thereof, doesn't agree with the theory you espouse. 
Entirely aside from the possible merits of that theory, where open 
source is involved FIPS 140 isn't a level playing field. I think the 
results would be very entertaining indeed if someone like Groklaw's 
Pamela Jones were to take an interest in that topic.

-Steve M.

Steve Marquess
marquess at

More information about the openssh-unix-dev mailing list