OpenSSL security validation encryption tool uncertain

20.07.2006
A joint U.S. and Canadian organization that certifies encryption tools for use by federal government agencies has suspended its validation of OpenSSL cryptographic technology for the second time in less than six months.

The decision means that government agencies cannot purchase the open-source tool for the time being, although those that have already done so will still be allowed to use it. OpenSSL is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer security protocols. It is widely used to encrypt and decrypt data on the Internet.

The decision to suspend validation of the tool came just two days after the group doing the validation, Cryptographic Module Validation Program (CMVP), had taken the harsher step of revoking the tool entirely. It backed away from that decision and opted for a suspension of the process instead.

News of the rapid changes to the validation effort drew criticism from theHattiesburg, Miss.-based Open Source Software Institute (OSSI), a non-profit group trying to get the OpenSSL encryption module validated for use in government. John Weathersby, OSSI's executive director, Wednesday alleged that the move appears to have been influenced by vendors of proprietary technologies who stand to lose a lucrative market if an open source alternative is certified.

"There are some vendors fighting like hell to make this die, and I can see why," said Weathersby. "What's going on is the question of the day. This is not a technology issue, this is a political issue."

OpenSSL is supported on several major platforms, including many flavors of Unix, Apple Computer Inc.'s Mac OS X and Microsoft's Windows.