Rich Salz

> Due to changes in rules the self tests always run so that is no longer an issue. When did the rules change?

But you don't yet have a validated 140-3 module, and according to https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf `fipsinstall` is outside the module boundary so there is no reason this cannot be made to work....

> It really depends on how the security policy is worded... Yes. And I've read it multiple times. And just now I re-read Appendix A.

So does the current release support the currently-validated FIPS module or not? Right now it does not. It could. Fixing that would be more in line with the promise that...

I would expect that to work. Did the config file get updated with the digest and verification flag?

We want to run the selftest once at system install. Not every time a program starts.

> > We want to run the selftest once at system install. Not every time a program starts. > > Then unfortunately you have to use the 3.0 fipsinstall (at...

Here is a small reproducer in C++, written by an Akamai colleague. The code is at https://gist.github.com/richsalz/31a98a3095fa36ab6a66082a0c028a6f Here are the compile commands and timing. This small reproducer is *17 times...

> We need to be able to support a provider loading a key in a format that libcrypto doesn't know about and this means multiple parsing attempts. T The project...

@paulidale, Yes, I know about OpenQuantumSafe. It could have been done by them creating EVP_PKEY's, etc., by hand. That might not be as clean, admittedly, but you could have added...