Wan-Teh Chang wrote:
Note that NIST already allows a crypto module vendor or user to recompile the source code, without modification, for another platform and *maintain the validation status*, with the caveat that NIST makes no statement about the correct operation of the crypto module on platforms not listed on the certificate. See implementation guidance (IG) G.5 in http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf.
So what do you think of source validation or the vendor/user re-compilation allowed by IG G.5? Wan-Teh
From the PDF (CMVP = Cryptographic Module Validation Program for those that don't know. http://csrc.nist.gov/cryptval/ or http://www.csrc.nist.gov/pki/PKITesting.html):
"The CMVP allows user porting of a validated software cryptographic module on an OS(s) and/or GPC(s) which were not included as part of the validation testing. The validation status is maintained on the new OS(s) and/or GPC without re-testing the cryptographic module on the new OS(s) and/or GPC(s). However, the CMVP makes no statement as to the correct operation of the module when executed on an OS(s) and/or GPC(s) not listed on the validation certificate."
After reading that passage it would seem you are correct. Good info since this applies to any open-source validated product.
Thanks for the response, Dave _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
