"There have been some commercial interests who are unhappy with open-source validation like this," Marquess said. "One of them has been working for several years to challenge multiple aspects of what we are trying to do," he said without naming the vendor.

One of the results is that the requirements for OpenSSL to get FIPS 140-2 validation has keeps changing he said. "One of our frustrations through this whole ordeal is pinning down the requirements in concrete technical terms," he said. "The requirements keep changing on us all the time."

George Adams, the president and CEO of SSH Communication Security, a Wellesley, Mass.-based vendor of encryption products, said that concerns about the use of OpenSSL in government environments are valid. As an open-source tool, OpenSSL is subject to constant changes that would invalidate its certification on a regular basis, he said.

For instance, any changes made to the source or linked library in the cryptographic module will create a non-validated module, he said. Similarly, any additional cryptography outside of the validated module would need to be tested and validated.

Marquess dismissed such concerns. He said that the security policy associated with OpenSSL guarantees that the source code used to generate the cryptographic module is unmodified at all times.