[Info-vax] VSI has released 9.2-1

Gary Sparkes mokuba at gmail.com
Wed Jul 19 02:52:21 EDT 2023 

On Wednesday, July 5, 2023 at 10:36:48 PM UTC-4, Arne Vajhøj wrote:
> No. But that is not the problem. 
> 
> FIPS 140-2 certification is a certification of hardware 
> and software. 
> 
> VMS 9.2-1 on a VirtualBox VM setup as ... running on 
> RockyLinux 9 running on Dell Inspiron 7591 with Intel i7(x64)???? 
> 
> Arne


I'll note that certification isn't necessarily required for procurement, and that
it ISN'T a combination of hardware AND software together. You can certify
specific combinations, yes, just as you can certify just hardware alone, or
just software alone. 

Note, that windows, with the correct configuration, is considered compliant
on ANY hardware or virtualization solution. You can be validated as Software,
Software-Hybrid, or Hardware. Microsoft's solutions are almost all validated 
as SOFTWARE or SOFTWARE-HYBRID. It is compliant when configured 
correctly, regardless of hardware.

What you listed above in a previous post is the "tested configuration" 
which isn't the actual validation. It's just saying what they used to 
validate that specific module meets the requirements and standards in 
NIST lab setup. 


Take a look at the consolidated certificate, showing the hardware/software
configurations of the actual validations: 

https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/August%202022_010922_0715_signed.pdf

Note that the OpenSSL FIPS Provider validation is only referring to the 
software version, and has NO hardware data with it. Because the validation is
on the software only. 


The important takeaways from the OpenSSL validation you linked is - 
"When operated in FIPS mode. No assurance of the minimum strength of
generated keys." and "Module type: SOFTWARE". That means, yes, it's 
compliant, with caveats. 


Nominally, the software is only considered to be functioning in validated
and compliant mode if configured according to the security policy (usually) 
linked on the validation page. 

"This is what we tested it on" isn't the same as "it is only validated on".



Side note, CMVP which is no longer accepting submissions for 140-2 
certifications - only 140-3. After September 21, 2026 140-2 modules are 
considered "historical" and should only be procured in support of existing
deployments.

More information about the Info-vax mailing list