> On 6 Oct 2025, at 20:27, Jacob Champion <[email protected]> > wrote: > > On Fri, Oct 3, 2025 at 5:11 AM Joe Conway <[email protected]> wrote: >> That RFC appears to be specific to UUIDv4, but assuming that advice is >> generally >> applicable to UUIDs in general it seems to mean we are off the hook when it >> comes to FIPS with respect to UUIDs. > > The most recent RFC still says that [1]. And it doesn't appear to > mandate the use of a CSPRNG at all, so it'd be unfortunate if UUIDs > were bound by FIPS considerations... but my opinion has no effect on > whether they're bound in practice.
Using a UUID as salt would perhaps be one scenario which would turn the RNG used for UUIDs into security functionality according to the FIPS definitions? -- Daniel Gustafsson
