March 14, 2007

Open Source Software Institute Launches the OpenCrypto Management Program

jmw writes "Washington, DC, Wednesday, March 14, 2007 -- The Open Source Software Institute (, announced today the official launch of the OpenCrypto Management Program, a U.S. Department of Defense-sponsored follow-on to OSSI's successful effort to secure Federal Information Processing Standards (FIPS 140-2) validation for the OpenSSL FIPS Object Module (CMVP certificate #733).

The OpenCrypto program is being conducted in conjunction with the DoD's Open Technology Development (OTD) roadmap initiative introduced in 2006. The announcement was made during the Open Technology: Realizing the Vision conference hosted by the Association for Enterprise Integration (AFEI) and OSSI.

“The OpenCrypto Management Program is a continuation and expansion of the OpenSSL FIPS validation effort,” said OSSI executive director John Weathersby. “Interests within the DoD were pleased with the results of the initial OpenSSL validation program and have identified extensions to that work for greater availability of FIPS 140-2 validated open source software for use within DoD IT systems.”

As the program manager, OSSI will provide coordination, development and technical support to DoD, industry and open source community participants. The program's initial scope includes validating a more current version of the recently validated OpenSSL Object Module, significant technical enhancements, and encouraging the incorporation of support for the FIPS module in the most popular open source applications such as OpenSSH, Apache mod_ssl, Stunnel, and cURL.

An interesting twist on the project includes OSSI's efforts to develop and support a “Rolling Validation” for the OpenSSL FIPS Object Module. According to the initial strategy, OSSI and the OpenSSL team will work to validate a current version of OpenSSL that has FIPS support as a binary module. On a rotating basis, estimated at every six to nine months, the OSSI and OpenSSL team will submit an updated version for another validation. These rolling validations are designed to address vendor concerns with the schedule uncertainties experienced with the initial open source based validation.

“Prospective end users can use the specific binaries that were validated, if they happen to be suitable as-is. If not, OSSI will in collaboration with the OpenSSL team build a binary for the desired platform, where technically possible” said OSSI technical project manager Steve Marquess. “Under a CMVP process known as "vendor affirmation" (CMVP Implementation Guidance, section G.5) that binary as delivered to the end user will satisfy the requirements for a FIPS 140-2 validated module.

“For non-U.S. DoD end users there will be a one-time charge calculated on a cost-recovery basis,” he said.

The only such validated foundation currently available is the one for certificate #733, circa 0.9.7j, which end users can build from source themselves. The next open source validation based on more current source will not be available for minimum of six months.

For additional information on the OpenCrypto Management Program or the Rolling Validation project, please contact John Weathersby at

About OSSI

The Open Source Software Institute ( is a U.S.-based non-profit organization whose mission is to promote the development and implementation of open source software solutions within U.S. Federal, state and municipal government agencies. For additional information, please visit the OSSI website at

About OpenSSL

The OpenSSL Project ( is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

# # #"


Click Here!