Treating a certification of algorithm correctness as a certification of a well engineered product is a poor choice, because many security critical things in the product are not considered in the certification.
That makes a lot of sense, thank you! I got the impression that the parent comment meant that the certification itself means nothing, hence my confusion.
I mean; a crypto certification that doesn't tell you very much about the effective security of the product doesn't provide very much value though, does it? All it tells me, is that someone thought it would increase their sales enough to justify the time and money; they may not have spent time and money to generate random numbers properly, and may just use 4 all the time; they could probably still get a fips cert, because it's out of the scope of the certification.
