top | item 46727011

(no title)

voidfunc | 1 month ago

FIPS is what happens when idiots get promoted and start reading too much LinkedIn CISO slop.

If a customer demands FIPS compliance charge them out the ass for it. Its not inherently secure, it requires in some cases massive re-engineering of product and toolchains, and mostly seems to be an ask from clueless deep pocketed Fortune 500 companies looking to minimize liability claims after a breach by being able to point at their FIPS compliance.

discuss

Aloha|1 month ago

FIPS is ancient and dates from the era when encryption was unusual and rare. That is why some of it seems so arcane. FIPS 140 didnt even allow software encryption until 140-3, 140-2 required a hardware secure enclave.

PeterWhittaker|1 month ago

Definitely false, at least historically. The original FIPS only required HW at levels 3 and 4, "required" in the sense that levels 1 and 2 were quite doable in software (level was/is no authentication to the CM, letting it be protected by the host; level 2 was/is a form of basic authentication, e.g., encrypting private keys under a key derived from a password).

I was part of a team that had multiple level 1 and 2 certificates for software-only CMs in the 1990s, both 140 and the second edition, 140-1.

ecb_penguin|1 month ago

[deleted]