hngopher.com

       [HN Gopher] The FIPS 140-3 Go Cryptographic Module
       ___________________________________________________________________
        
       The FIPS 140-3 Go Cryptographic Module
        
       Author : FiloSottile
       Score  : 29 points
       Date   : 2025-07-15 20:42 UTC (2 hours ago)
        
 (HTM) web link (go.dev)
 (TXT) w3m dump (go.dev)
        
       | aranw wrote:
       | I'm curious to understand what implications this will have on Go
       | and where it is used? How does this differ to other languages as
       | well? I don't fully understand what it will mean for Go and its
       | community
        
         | tptacek wrote:
         | None; it's an optional package you use when your users require
         | FIPS 140.
        
       | tptacek wrote:
       | It's interesting and kind of neat in an inside-baseball way that
       | the standard Go cryptographic library (already unusual in the
       | major languages for being a soup-to-nuts implementation rather
       | than wrappers around an OpenSSL) is almost fully NIST-validated;
       | in particular, it means vendors who want to sell into FedGov can
       | confidently build with the Go standard library.
       | 
       | Having said all this: nobody should be using crypto/fips140
       | unless they know specifically why they're doing that. Even in its
       | 140-3 incarnation, FIPS 140 is mostly a genuflection to FedGov
       | idiosyncrasies.
        
         | twoodfin wrote:
         | Would you say there's a brown M&M's aspect (intentional or
         | otherwise) to FIPS-140, or is it all just bowing to the
         | sovereign for his indulgences?
        
           | YawningAngel wrote:
           | Not really. It isn't _hard_ to use FIPS validated software,
           | it 's just annoying to do because most libraries you would
           | want to use aren't FIPS compliant by default for good
           | reasons. If you can get a government contract in the first
           | place you are already administratively competent enough to
           | use FIPS.
        
         | FiloSottile wrote:
         | > Applications that have no need for FIPS 140-3 compliance can
         | safely ignore [this page], and should not enable FIPS 140-3
         | mode.
         | 
         | https://go.dev/doc/security/fips140
         | 
         | Yup.
        
       | hamburglar wrote:
       | This is huge. I've spent years jumping through hoops to get Go
       | projects signed off for FIPS-140 and I always worried that
       | something was going to go wrong and we'd have a compliance
       | nightmare on our hands. They just made it super easy.
        
       ___________________________________________________________________
       (page generated 2025-07-15 23:00 UTC)