I'm willing to change, being as a maintainer of dropbear.

But I don't know the standard is encouraged only in EU or USA, also can expert's opinion represent all requirements?


On Jan 3, 2014 12:53 AM, "Miloslav Trmač" <mitr@volny.cz> wrote:
On Sat, Dec 21, 2013 at 9:38 AM, Till Maas <opensource@till.name> wrote:
> Therefore I would like to propose a packaging guideline about which
> minimum key size software in Fedora should generate by default.

Such guidelines would be very desirable.  The following needs to be addressed:

* Do we have the expertise to define the requirements?  We could just
follow the ENISA report or
http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf ,
but each such publication has a risk of carrying an agenda.  (Note
that choosing the algorithms is just as important as choosing the key

* Do we have the expertise to follow the requirements?  The package
maintainers would have to understand the source code to a much deeper
extent than we've typically required.  (I do think such a change in
expectations would be a very good thing.)

* Can we actually get this done?  Uses of MD5 and DES are probably a
bigger threat, and I'm afraid we haven't made that much progress on
eradicating them, over many years.
security mailing list