@gsuberland I guess my stuff (impossible to remote login until you connect via serial console and provision a SSH key, no password login option exists) should be kosher then :)

@gsuberland I’m very split on some of that stuff if it’s the same as it was when I last read it. Secure auth and commitment to security updates is a big win. Requiring signed firmware less so if you care about being able to continue using things once the vendor abandons them.

@gsuberland most of our customers install product behind firewall or air gapped. We find that most never change the default passwords and we've had that ability for 20 years. Some change the main account password but leave other accounts at default for lack of understanding. Basically the product is an industry staple and I doubt these rules will stop anyone from getting it. But there is likely some grandfather clause available.

I doubt that laws can eradicate stupidity.

@gsuberland what is dumb is requiring devices to have levels of security that are not feasible with the hardware. Like 2,048 bit keys handled at 100 MHz system clock rates. 20+ seconds for a private key operation.

FIPS... Ugh.

Worse is SSH where the client dictates security levels and not the server. The server knows that no one cares about it's stuff. It should let you use weak keys. After all there really aren't quantum computers anyway. Not anytime soon either.