Contact: John Weathersby, Open Source Software Institute [email protected] OpenSSL Secures New FIPS 140-2 Validation Open Source Cryptographic Module Once Again Available for Government Adoption and Usage Hattiesburg, MS Wednesday, February 7, 2007 The Open Source Software Institute (OSSI) announced today the FIPS 140-2 validation of the OpenSSL FIPS Object Module, a cryptographic library based on the widely used OpenSSL product. The official validation certificate (#733) is now posted at the NIST FIPS 140-1 and 140-2 Cryptographic Modules Validation List (http://csrc.nist.gov/cryptval/140-1/1401val2007.htm). The OpenSSL FIPS Object Module is freely available and can be downloaded immediately athttp://www.openssl.org/source/openssl-fips-1.1.1.tar.gz. The OpenSSL FIPS Object Module Security Policy and User Guide are also available for download through the OSSI website (www.oss-institute.org) and may be used and reproduced without restriction. -------------------------- Why this is important to government, IT and open source readers: 1) Information Assurance (IA) programs/modules, such as OpenSSL, must achieve government validation (FIPS & Common Criteria) before they can be acquired or used within Dept of Defense systems. (govt policy which regulates this is the National Security Telecommunications and Information Systems Security Policy (NSTISSP) Number 11) 2) FIPS validation demonstrates validity, durability and security of the open source OpenSSL crypto module...as secure as any comparable "commercial version" validated module. Strict scrutiny of the transparent, open source code caused some delays, but outcome resulted in the most thoroughly viewed and tested module available. 3) Validation demonstrated the efficient nature of the open source development model. Updates and modification were made in hours, not days or months. 4) Cost benefit to all government, industry and private developers and implementers who wish to adopt the open source OpenSSL Object module. It is freely available, as it has already been paid for by DoD and industry sponsors. 5) All documentation (Security Guide and User Policy) is being made freely available for download or reuse without restriction. Also, the test vectors will be released so that others who wish to undertake a similar validation effort will have documentation and reference materials. This too, is viewed as part of the original package and paid for by DoD and other sponsoring entities. For additional information, please contact: John Weathersby, OSSI tel: 601.427.0152 John M. Weathersby, Jr. Executive Director Open Source Software Institute National Center for Open Source Policy and Research tel: 601.427.0152 Ad maiorem dei gloriam (AMDG) Audentes fortuna juvat (fortune favors the bold)