DISCLAIMER: I have no idea if the above information regarding FIPS is valid or complete and utter nonsense. However, I wanted to weigh in on the possible logic of sending things "in the clear" to non-FIPS compliant users.

If you are a government agency that deals in classified materials, say for example a document, there are basically two classifications (or states for you developers out there): the first state is Classified: i.e. the document is not in the open. The second state is non-Classified: i.e. the document is in the open.

If I'm working with a classified document, one of the most important things I need to know is when that document is allowed to cross the boundary into the open. If I send a classified document to a non-FIPS compliant user and I encrypt that document, I may generate a false sense of security in that we may believe the document is still secure (because it's encrypted) when, in fact, we have lost a measure of control over the document since the receiving party isn't playing by the same (FIPS) rules.

In that case, I'd rather know for certain that the document has moved into the open rather than wonder if it's still secure or not.

Again, I have no idea if this is the case or not, but it seems like a plausible argument. Of course, that reminds me of the H.L. Mencken quote: Explanations exist; they have existed for all time; there is always a well-known solution to every human problem — neat, plausible, and wrong.

I'm not sure about the Firefox issue. I've set up both my wife and myself to use standard user accounts on WinXP and I reserve the administrator account for (gasp!) administration. We both use Firefox as our main browser and I haven't had any issues with updates even as a restricted user. If you want to reinstall Firefox, then you would definitely have to be signed on as administrator. But, just regular browser updates work fine for us. YMMV obviously.

By the way, I agree with the comments about the lack of issues you have when you run as a standard user on WinXP. Making this one change was the single biggest thing I did that completely eliminated any problems with virii or trojans.

In my view, using a "small subset of the .NET framework" is not an argument against using ASP.NET. .NET is a huge and extremely varied framework (as you evidently know well). It would be a very odd case where any particular application - whether it be web or Win32 - would require the majority of the functionality provided through .NET.

But the fact that all I need is a screwdriver does not lessen the value of having a well-stocked toolbox. The first time I had to create a web application that could consume and perform complex recursive logic on XML files created by a mobile application framework, I didn't have to wonder whether .NET provided the necessary functionality. I knew it did even though I'd never used it before.

I'm not going to sit here and tell you there aren't things about .NET that drive me nuts. And, in fairness, I don't have a lot of experience with other web application frameworks. Still, .NET gives me what I need when I need it and without a lot of fuss. The biggest problems I deal with each day have very little to do with my framework of choice and much more to do with things outside of my control. C'est la vie, eh?

By the way, I'm the Anonymous Coward that posted above. I just created a new Slashdot account so now I can be a Well-Known Coward.