[0xbadcafebee]

> It seems quite silly to me to enforce a massive MitM attack while at the same time sticking to the FIPS standards.

Well they're two different things. One is an often government-mandated security standard. The other is a business requirement to be able to audit network traffic, which is also often a government-mandated requirement (due to regulations, due diligence, contractual requirements, etc).

People making tech stuff very often forget that the entire world does not work based on "technical best practices", it works on laws and contracts and customer/business requirements. In the real world there is often no perfect way to satisfy all requirements.

[jeroenhd]

The reason the government wants FIPS is that it's been verified to be secure according to the national agencies. Enforcing that that security and then putting all if your sensitive traffic in the hands of one key on one box directly contradicts the security requirements FIPS is intended to ensure.

I don't expect the government to have different departments work together around this stuff, but knowing the technical details, the end result is still impractical and stupid. The end result of stupid rules and requirements is that the real world application of technology is stupid, as we have probably all experienced one way or another during our lives.

Just because there's a real business need for something, doesn't stop that from being silly. Correcting the silliness is clearly not a technological challenge, we'll have to wait for politicians and managers to do that, but the end result is still a confusing and contradictory mess.