On Wed, Jun 04, 2014 at 03:15:33PM +0200, Nikos Mavrogiannopoulos wrote:
On Wed, 2014-06-04 at 09:05 -0400, Simo Sorce wrote:
> > That's old version. New one
(
https://fedoraproject.org/wiki/Changes/CryptoPolicy)
> > is:
> > Legacy: 767+
> > default: 1023+
> shouldn't this be 2047+ ?
If we do that then the applications that use these settings will be
unable to talk to any servers that offer 1024 keys. Given the number of
these servers that would be a good reason for applications not switching
to this centrally managed configuration system. That is we'd have these
settings as in a museum and no-one will be using them.
IMHO it should be part of the policy to create FUTURE class keys by
default even if a weaker security level is required to make future
transitions easier. Otherwise the amount of servers using weak keys will
not decrease.
Regards
Till