On 10/3/25 04:04, Daniel Gustafsson wrote:
On 3 Oct 2025, at 01:16, Masahiko Sawada <[email protected]> wrote:
Adding Joe to the thread since he usually have insights into all things FIPS.
Thanks, I do have opinions at least ;-)
..in systems that must be FIPS compliant, is it okay to generate UUIDs
using random numbers from non-FIPS compliant sources? If yes, we can use
pg_random/pg_fast_random() for UUID generation in all cases.
If UUID generation can be considered to not provide any security
functionality then a non-FIPS validated RNG (FIPS 140-2 Annex C [2] talks
more about RNGs) can likely be used. Any app which use a UUID in any way
which can be considered a security functionality would however not be able
to do that. If anyone is able to find official NIST documentation which can
shed more light on this then that would be great.
The first hit for UUID RFC[1] that I found said this:
8<------------------
6. Security Considerations
Do not assume that UUIDs are hard to guess; they should not be used
as security capabilities (identifiers whose mere possession grants
access), for example. A predictable random number source will
exacerbate the situation.
8<------------------
That RFC appears to be specific to UUIDv4, but assuming that advice is generally
applicable to UUIDs in general it seems to mean we are off the hook when it
comes to FIPS with respect to UUIDs. Perhaps we should document that though
(assuming we have not already).
This would need to be properly documented of course. Maybe we should even
start a dedicated subsection on FIPS in the manual to collect information for
anyone wanting to use PostgreSQL in a FIPS compliant environment? (That would
be for another thread though, to keep the goalposts in sight here.)
Yeah, or maybe a source code README, or maybe both. Agreed -- another thread for
another day.
[1] https://datatracker.ietf.org/doc/html/rfc4122#section-6
--
Joe Conway
PostgreSQL Contributors Team
Amazon Web Services: https://aws.amazon.com
