On Mon, 26 Jan 2015 22:35:12 -0500 Tom Francis <thomas.francis.jr at pobox.com> wrote: > This is a bad idea. It can generally be done, and it?s probably not > even too hard (for some uses, anyway). But it?s a bad idea. Here?s > why: Thanks for the detailed comments. I understand the concerns, although there's one thing I do not see clearly, that is: > 2) Applications that don?t know they?re operating in FIPS > mode may attempt to use algorithms that are disallowed in FIPS mode, > but using an API that will actually succeed. How could this happen ? Do you have a practical use case ? Wouldn't OpenSSL in FIPS mode prevent the use of such algorithm in the first place ? Regards.
