----- Original Message -----
From: "Simo Sorce" <simo(a)redhat.com>
To: "Hubert Kario" <hkario(a)redhat.com>
Cc: "Till Maas" <opensource(a)till.name>, security(a)lists.fedoraproject.org
Sent: Wednesday, June 4, 2014 3:05:03 PM
Subject: Re: available crypto policies
On Wed, 2014-06-04 at 08:47 -0400, Hubert Kario wrote:
> ----- Original Message -----
> > From: "Till Maas" <opensource(a)till.name>
> > To: security(a)lists.fedoraproject.org
> > Sent: Wednesday, June 4, 2014 9:46:13 AM
> > Subject: Re: available crypto policies
>
> That's old version. New one
> (
https://fedoraproject.org/wiki/Changes/CryptoPolicy)
> is:
> Legacy: 767+
> default: 1023+
shouldn't this be 2047+ ?
No, approx. more than 0.5% of Internet servers still use 1024 bit
certificates, we also still trust 1024 bit CA roots.
It also matches accepting SHA-1 signatures in certificates.
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: hkario(a)redhat.com
Web:
www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic