[mieko]

FIPS is bureaucratic government red tape, and nothing else. It gives the "US Department of Whatever" and their contractors someone to blame when there's a fuck up.

No one respected in cryptography that I've met, or read papers from, would stand behind it as a seal that'd mean anything in actual security (please, someone, prove me wrong: I want to see SOME light in this tunnel). There are private entities with much more sensitive information than the U.S. Government, and the ones that take it seriously easily surpass FIPS (in purpose, not paper) with good engineering, because they can't hide behind a rubber stamp.

Not too long ago, I was on a team that was required to keep a FIPS-certified (FIPS 140-2) binary blob in production for months while there were known exploits against it. If you actually care about keeping amateur algorithms and implementations out of sensitive situations (vs. "Proving You Care via Paperwork"), you'd do better to follow Google or Facebook's security blogs than FIPS, because they react faster.