> Our goal is to share this implementation with others in the Go community who have the same requirement, and to merge this capability into upstream Go as soon as possible.
You would be interested in this if you need the 'crypto' library to work in a FIPS 140-2 compliant way. You can switch on / off this mode by setting the runtime variable GOFIPS=1 before running your Go program [1]. Nice.
It looks like the Go community officially has no plans to support FIPS140-2 any time, so I'm glad to see this alternative.
The general theme is that you need to be using approved ciphers and you need to have your key management code certified by some external entity. It is an exhausting process ;)
>Microsoft's security reputation is so flawed, that some parts simply must be intentional, or coerced.
They are a lot better than they used to be. They went through a trial by fire in the 90s and early 00s and came through for the better.
It's worth noting that classified computer systems in the military-industrial complex run Windows, and not Linux, nor do they run the security cosplay that is OpenBSD.
Jonathan Blow ranted about the susceptibility of open source to supply chain attacks from state actors, which discussion recently became germane again in light of the xz backdoor.
What he didn't discuss was how vulnerable proprietary vendors (including, but by no means limited to, Microsoft) are to "rubber-hose vulnerability injection".
Anyway, it's good to see Microsoft actually participating in the open source process.
metadat|1 year ago
https://github.com/golang/go/tree/dev.boringcrypto/misc/bori...
But it looks dead for some time.
However https://github.com/golang-fips/go sprung up to take it's place.
I wonder why microsoft prefers to maintain it's own in entirety rather than share a piece of the burden.
abtinf|1 year ago
From the readme.
gct|1 year ago
korginator|1 year ago
It looks like the Go community officially has no plans to support FIPS140-2 any time, so I'm glad to see this alternative.
[1] https://github.com/microsoft/go/tree/microsoft/main/eng/doc/...
unknown|1 year ago
[deleted]
interroboink|1 year ago
This repo doesn't seem to list what sort of high-level/conceptual changes are involved. I could look at the diff, but that sounds exhausting :Þ
bpicolo|1 year ago
YZF|1 year ago
entropyie|1 year ago
unknown|1 year ago
[deleted]
purpleidea|1 year ago
Microsoft's security reputation is so flawed, that some parts simply must be intentional, or coerced.
Don't use this repo. Very interesting TIL about golang at Microsoft. Thanks for sharing.
tptacek|1 year ago
Don't use any FIPS branch of any platform, because FIPS is terrible. But the argument presented here seems facile.
nvy|1 year ago
They are a lot better than they used to be. They went through a trial by fire in the 90s and early 00s and came through for the better.
It's worth noting that classified computer systems in the military-industrial complex run Windows, and not Linux, nor do they run the security cosplay that is OpenBSD.
bitwize|1 year ago
What he didn't discuss was how vulnerable proprietary vendors (including, but by no means limited to, Microsoft) are to "rubber-hose vulnerability injection".
Anyway, it's good to see Microsoft actually participating in the open source process.