On Fri, Oct 3, 2025 at 5:11 AM Joe Conway <[email protected]> wrote: > That RFC appears to be specific to UUIDv4, but assuming that advice is > generally > applicable to UUIDs in general it seems to mean we are off the hook when it > comes to FIPS with respect to UUIDs.
The most recent RFC still says that [1]. And it doesn't appear to mandate the use of a CSPRNG at all, so it'd be unfortunate if UUIDs were bound by FIPS considerations... but my opinion has no effect on whether they're bound in practice. --Jacob [1] https://www.rfc-editor.org/rfc/rfc9562.html#name-security-considerations
