avoid generally requiring NIST standards like FIPS

[JanZerebecki]

https://github.com/Open-Security-Working-Group/paper-what-makes-hardened-container-image/blob/562013517b8a8851bf9dade9337be9886c8c22a7/Planning-Outline_What-makes-hardened-container-images.adoc#L101

While for US government these are mandated, for others there are usually better alternatives. E.g. compare the FIPS requirement of P-265 vs Curve25519, as explained at safecurves.

[bstone-suse]

An option for some clients.

[henrycoggillcnc]

I'd prefer to see this as optional. Mandating FIPS would have made it difficult to use TLSv1.3 for instance. Can we instead advocate for modern, best-industry-standard crypto?

[trevorbryant]

The challenge here for the USA folks is the Federal Information Processing Standards (FIPS) are non-optional under the Federal Information Security Management Act (FISMA). It can be made optional for non-regulated industries and other governments where not required. However, regarding the US Government, if we are making recommendations to the US Government on what makes a hardened container image, it would be irresponsible for us not to be aligned with what statutory requirements we are to design and implement technical specifications.

Instead, a more specific approach might be asked of what would have been difficult to use for TLSv1.3 and dig a little deeper; instead, try to get whatever the challenge was fixed within FIPS 140 rather than trying to get FIPS 140 not to be used.

[JanZerebecki]

Due to the way that FIPS 140 is being made security improvements to internet standards are done first and FIPS second. So until that fundamentally changes we will always need a dual approach. FIPS mode for customers where required. Default for everyone else.

For most image situations there is a generic way to pass configuration, e.g config disk for vms, environment variables for podman and kubernetes, etc. We should use a common environment variable for enforcing FIPS mode, map the non env based approaches to set the env, then use startup configuration to map to specific implementation settings. Then modify podman, etc, to pass this variable from the host by default like it does for http_proxy.