Jaroslav Reznik (jreznik(a)redhat.com) said:
= Proposed System Wide Change: System-wide crypto policy =
https://fedoraproject.org/wiki/Changes/CryptoPolicy
Change owner(s): Nikos Mavrogiannopoulos <nmav(a)redhat.com>
Unify the crypto policies used by different applications and libraries. That is
allow setting a consistent security level for crypto on all applications in a
Fedora system.
== Detailed Description ==
The idea is to have some predefined security levels such as LEVEL-80,
LEVEL-128, LEVEL-256,
or ENISA-LEGACY, ENISA-FUTURE, SUITEB-128, SUITEB-256. These will be the
security levels
that the administrator of the system will be able to configure by modifying
/usr/lib/crypto-profiles/config
/etc/crypto-profiles/config
and being applied after executing update-crypto-profiles.
(Note: it would be better to have a daemon that watches those files and
runs update-crypto-profiles automatically)
How is an admin supposed to know what levels such as the above are, and why
they might choose a particular one?
* Proposal owners: For GnuTLS and OpenSSL the "SYSTEM"
cipher needs to be
understood and behave as described. For NSS the NSS_SetDomesticPolicy() can be
overloaded to behave as above.
After that a mechanism to specify crypto policies for Fedora has to be
devised, as well as the extraction to each libraries' settings.
* Other developers: Packages that use SSL crypto libraries should, after the
previous change is complete, start replacing the default cipher strings with
SYSTEM.
This implies a potentially not insignificant local patch load. Am I
misunderstanding it?
Bill