F21 System Wide Change: System-wide crypto policy
Bill Nottingham
notting at redhat.com
Thu Feb 27 16:52:01 UTC 2014
Jaroslav Reznik (jreznik at redhat.com) said:
> = Proposed System Wide Change: System-wide crypto policy =
> https://fedoraproject.org/wiki/Changes/CryptoPolicy
>
> Change owner(s): Nikos Mavrogiannopoulos <nmav at redhat.com>
>
> Unify the crypto policies used by different applications and libraries. That is
> allow setting a consistent security level for crypto on all applications in a
> Fedora system.
>
> == Detailed Description ==
> The idea is to have some predefined security levels such as LEVEL-80,
> LEVEL-128, LEVEL-256,
> or ENISA-LEGACY, ENISA-FUTURE, SUITEB-128, SUITEB-256. These will be the
> security levels
> that the administrator of the system will be able to configure by modifying
> /usr/lib/crypto-profiles/config
> /etc/crypto-profiles/config
>
> and being applied after executing update-crypto-profiles.
> (Note: it would be better to have a daemon that watches those files and
> runs update-crypto-profiles automatically)
How is an admin supposed to know what levels such as the above are, and why
they might choose a particular one?
> * Proposal owners: For GnuTLS and OpenSSL the "SYSTEM" cipher needs to be
> understood and behave as described. For NSS the NSS_SetDomesticPolicy() can be
> overloaded to behave as above.
>
> After that a mechanism to specify crypto policies for Fedora has to be
> devised, as well as the extraction to each libraries' settings.
>
> * Other developers: Packages that use SSL crypto libraries should, after the
> previous change is complete, start replacing the default cipher strings with
> SYSTEM.
This implies a potentially not insignificant local patch load. Am I
misunderstanding it?
Bill
More information about the devel
mailing list