The open source OpenSSL security solution has been refused validation for US government use, even though some government...
agencies are already using it.
The Cryptographic Module Validation Program (CMVP) validation agency, which approves cryptographic solutions for federal agencies in the US and Canada, has suspended the validation of OpenSSL for the second time this year.
The decision means that government agencies cannot purchase the open source solution for new implementations, although existing OpenSSL installations can carry on as normal.
OpenSSL is an open source version of the widely used Secure Sockets Layer (SSL) protocol, which is commonly used to encrypt and decrypt data across the internet.
The decision to suspend validation came just two days after the CMVP had taken the more serious step of revoking the tool entirely. It then opted for a suspension of the validation process instead.
The Open Source Software Institute (OSSI), a non-profit group trying to get the OpenSSL encryption module validated for government use, claimed the move had been influenced by suppliers of proprietary encryption solutions fearful of losing sales.
A validated OpenSSL tool would allow suppliers to include a free CMVP-compliant module in their products.
However, the CMVP is said to have misgivings about the security of the solution in government circles.
The technology's first validation was revoked in January. Validation was then issued again in March after changes were made to the module, before it was again suspended.
Vote for your IT greats
Who have been the most influential people in IT in the past 40 years? The greatest organisations? The best hardware and software technologies? As part of Computer Weekly’s 40th anniversary celebrations, we are asking our readers who and what has really made a difference.
Vote now at: www.computerweekly.com/ITgreats