https://fedoraproject.org/wiki/Changes/CustomCryptoPolicies
== Summary == This new feature of crypto-policies allows system administrators and third party providers to modify and adjust the existing system-wide crypto policies to enable or disable algorithms and protocols.
== Owner == * Name: [[User:Tmraz | Tomáš Mráz]] * Email: tmraz@redhat.com
== Detailed Description ==
The crypto-policies package will be enhanced to allow system administrators to modify the existing system-wide crypto policy levels by removing or adding enabled algorithms and protocols. For example it will be possible to easily modify the existing DEFAULT policy to disable the SHA1 support or enable support for a national crypto algorithm that is supported by the crypto libraries but is disabled in the policies. System administrator will be able to add a simple configuration file that will achieve this after calling the update-crypto-policies command.
== Benefit to Fedora ==
This will enable advanced users of Fedora to adjust the crypto-policies of the system to their particular needs and requirements.
It will also enable using Fedora where the national crypto algorithms are required without need to manually tinker with configurations of various software components to enable the national crypto algorithms.
== Scope == * Proposal owners: The design of the feature and prototype is already finished upstream. We still need to convert the existing back-end policy generators to the new framework and convert the existing policy definitions to the new format. Then the crypto-policies package will be rebased to the version with the custom crypto policies support included.
* Other developers: N/A (not a System Wide Change) * Release engineering: N/A (not a System Wide Change) * Policies and guidelines: N/A (not a System Wide Change) * Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
No impact. The crypto policies will continue to work as expected and worked before if a custom policy is not set.
== How To Test ==
This will be tested as part of the upstream crypto-policies testsuite.
== User Experience ==
Unless the user will choose to create and/or apply a custom crypto policy on the system, there will be no noticeable user experience change.
== Dependencies ==
N/A (not a System Wide Change)
== Contingency Plan ==
* Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
== Documentation ==
N/A (not a System Wide Change)
== Release Notes ==
The crypto-policies package was enhanced to allow system administrators to modify the existing system-wide crypto policy levels by removing or adding enabled algorithms and protocols. For example it is now possible to easily modify the existing DEFAULT policy to disable the SHA1 support or enable support for a national crypto algorithm that is supported by the crypto libraries but is disabled in the policies. This can be achieved by adding a simple configuration file and calling the update-crypto-policies command.