OpenSSL received its precedent-setting validation in January from the CMVP, which is charged with validating and certifying that cryptographic tools sold to government agencies meet the requirements of the Federal Information Processing Standard (FIPS) publication 140-2. The CMVP was established by the U.S. National Institute of Standards and Technology (NIST) and the Communications Security Establishment of the Canadian government.

A validated OpenSSL tool would allow OS vendors, Web browser makers and vendors of other software products such as e-mail to include a free FIPS-140 compliant cryptographic module. The OpenSSL FIPS 140-2 validation effort is sponsored by the Defense Medical Logistics Standard Support (DMLSS) program, which provides medical logistics support to the U.S. Department of Defense.

Currently, agencies looking for encryption capabilities spend hundreds of thousands of dollars -- and in some cases, millions of dollars -- licensing proprietary crypto tools that are FIPS 140 certified.

Since January, however, the validation for Open SSL has been revoked and reinstated twice, Weathersby said. The first revocation happened in January, barely four days after OpenSSL was first validated by CMVP. It was awarded a FIPS 140-2 validation again in March after some changes were made to the module.

On Friday, OSSI was told that the validation had again been revoked, Weathersby said. That changed yesterday, when the organization learned that the OpenSSL certificate had been incorrectly "revoked" and is now instead "not available." That means that the OpenSSL cryptographic module can no longer be bought by government agencies, although it can be used by those that already have it.