After 2 years of forced covid break, OpenSSL once again presented at the ICMC22 conference. The conference was a very pleasant meet-up of the community around cryptography and cryptographic modules. There were a lot of insights, feedback, and discussions around IT security. OpenSSL gave a talk on the Current Status of OpenSSL.
The OpenSSL presentation contained a number of key takeaways, which are listed at the end of the presentation.
1. Key Takeaway: Opportunity to access a free FIPS 140-2 rebranding!
As we announced in our blog post we are excited that OpenSSL will provider Premium Support Customers the opportunity to access a free FIPS 140-2 rebranding of the OpenSSL 3.0 FIPS module.
2. Key Takeaway: OpenSSL aspirations to be closer to our stakeholders
We have outlined the OpenSSL vision statement that is still being formed:
“Be a trusted open-source software leader in general-purpose cryptography and secure communication that meets FIPS requirements for cryptographic modules for commercial needs.”
Although it is still being formed, there should already be visible aspirations for the project to be closer to our stakeholders (community, customers, users, sponsors, … you) and become your trusted partner and being more predictable and reliable. These changes will primarily require improvement in communication and transparency levels.
3. Key Takeaway: There is a significant increase in FIPS 140-2 algorithms added to the new module
We put a significant number of new algorithms into the recent FIPS 140-2 module. And it is a major increase. The key area is the security protocol cryptography building blocks. That was a non-trivial effort.
4. Key Takeaway: 140-2 FIPS provider can be used across minor versions due to changes in architecture
Significant architectural changes introduced a provider concept that clearly demarks between algorithm implementation and usage. OpenSSL providers have a well defined ABI and will be stable across minor versions. (i.e. openssl 3.x will work with the OpenSSL FIPS provider 3.0.0 for all values of “x”)
5. Key Takeaway: Anybody else can implement a new crypto algorithm - 3th party provider
Already 3rd party providers are being created (OQS, GOST, TPM, BLAKE). We wanted to show that anybody else can implement a new algorithm that OpenSSL doesn’t know about in exactly the same way that OpenSSL’s algorithms are.
6. Key Takeaway: Change of Announced Roadmap Plan
We shed some light on versioning to the OpenSSL releases that OMC agreed on.
The OpenSSL 3.1 release will be about FIPS 140-3 validation submission
OpenSSL 3.1 will be the FIPS 140-3 submission release based on the current OpenSSL 3.0
QUIC MVP release pushed to OpenSSL 3.2 release
OpenSSL 3.1 was going to be the QUIC initial support release. We are pushing that to OpenSSL 3.2 (renaming the release). This release is about a Minimal Viable Product (MVP) that provides a client-side, single stream (connection) only.