README: add validation boundary note and authoritative FIPS references

crisdosaygo · crisdosaygo · commit 3cc39a04f608 · 2026-02-04T19:09:53.000+08:00
diff --git a/README.md b/README.md
@@ -69,6 +69,10 @@ In short:
 - **Product claim:** fail closed if that surface cannot be established.
 - **Non-claim:** no claim that this application is itself CMVP-validated.
 
+Validation boundary note:
+- fips-pad is an application that depends on OS crypto surfaces.
+- Any CMVP validation status applies to the underlying cryptographic module entries, not to this application as a validated module.
+
 ### Windows 10 / 11
 
 - Crypto backend: Windows CNG / BCrypt
@@ -192,6 +196,23 @@ This is control tailoring, exactly as 800-53 intends.
 
 ---
 
+## Authoritative references
+
+- FIPS 140-3 (NIST publication):  
+  https://csrc.nist.gov/pubs/fips/140-3/final
+- NIST CMVP program overview and validation listings:  
+  https://csrc.nist.gov/projects/cryptographic-module-validation-program
+- NIST SP 800-53 Rev. 5 control catalog:  
+  https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
+- Windows FIPS mode API (`BCryptGetFipsAlgorithmMode`):  
+  https://learn.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptgetfipsalgorithmmode
+- Ubuntu FIPS enablement guidance:  
+  https://ubuntu.com/security/certifications/docs/16-18/fips-enablement
+- RHEL FIPS mode guidance:  
+  https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/switching-rhel-to-fips-mode_security-hardening
+
+---
+
 ## What it means if the app starts
 
 If fips-pad starts:
