I'm willing to change, being as a maintainer of dropbear.
But I don't know the standard is encouraged only in EU or USA, also can expert's opinion represent all requirements?
Thanks.
On Sat, Dec 21, 2013 at 9:38 AM, Till Maas <opensource@till.name> wrote:
> Therefore I would like to propose a packaging guideline about which
> minimum key size software in Fedora should generate by default.
Such guidelines would be very desirable. The following needs to be addressed:
* Do we have the expertise to define the requirements? We could just
follow the ENISA report or
http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf ,
but each such publication has a risk of carrying an agenda. (Note
that choosing the algorithms is just as important as choosing the key
sizes.)
* Do we have the expertise to follow the requirements? The package
maintainers would have to understand the source code to a much deeper
extent than we've typically required. (I do think such a change in
expectations would be a very good thing.)
* Can we actually get this done? Uses of MD5 and DES are probably a
bigger threat, and I'm afraid we haven't made that much progress on
eradicating them, over many years.
Mirek
--
security mailing list
security@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/security