dang, that new version of the Product Security and Telecommunications Infrastructure Act goes hard. you can no longer sell an IoT product in the UK if it doesn't have a secure password initialisation feature and the ability for users to change its passwords.
@gsuberland what is dumb is requiring devices to have levels of security that are not feasible with the hardware. Like 2,048 bit keys handled at 100 MHz system clock rates. 20+ seconds for a private key operation.
FIPS... Ugh.
Worse is SSH where the client dictates security levels and not the server. The server knows that no one cares about it's stuff. It should let you use weak keys. After all there really aren't quantum computers anyway. Not anytime soon either.