Doing FIPS responsibly since 2014!
wolfSSL Inc has been made aware of concerning practices in the FIPS space by certain software module vendors. The wolfSSL team feels these practices are to the detriment of the FIPS community and trust in the FIPS program.
- CLAIM 1: One does not need an operating environment (OE) listed on a FIPS cert, just having it mentioned in the security policy as “vendor affirmed” is good enough
- CLAIM 2: As long as the code compiles and no changes are made to the code it is “FIPS Validated”
wolfSSL Inc is not denying the first claim, some FIPS users may find a vendor affirmation sufficient for their FIPS needs however our team believes this practice has potential to be detrimental to trust in the FIPS program. Some software module vendors are abusing vendor affirmation as a loop-hole to avoid testing on new OEs’ that differ from tested configurations. Our team would outright refute the second claim as patently ridiculous. If software tested on Intel silicon and a Windows OS is compiled for VXWorks running on ARM silicon (regardless if no code changes were made) there is no way to predict (without testing) that the software crypto will behave the same under this new OE as it did under a previously tested configuration. To be clear the wolfSSL team is not discussing physical hardware modules, only software modules.
wolfSSL Inc. Stance:
- Vendor affirmation makes sense for a physical design. Hardware maker’s are capable of determining security relevant effect of a design change to a hardware module.
- Vendor affirmation in some select cases might make sense for software modules but certainly not in a general sense or as a de facto approach to FIPS, especially when the OE being vendor affirmed is wildly different from the original “tested configuration”. This scenario should raise a red flag.
It is near impossible for a software vendor to predict how changes to the processor or OS will affect the way the software executes regardless if it compiles without code changes. If/when the software vendor is unable to make a security relevant determination, testing should be performed to compensate.
If you have any other questions please contact either firstname.lastname@example.org or email@example.com anytime. We offer free pre-sales customer support, we have FIPS evaluation options and our staff are knowledgeable and eager to help!