F21 System Wide Change: System-wide crypto policy

[Stephen John Smoogen]

On 27 February 2014 10:58, Andrew Lutomirski <luto at mit.edu> wrote:

>
> > We have to document that, but there will be always ways to shoot
> > someones foot. There are legitimate uses of increasing a security level
> > (if one for example sets up machines to be used in a LAN).
> >
> >> If someone sets SUITEB-whatever, is Curve25519 acceptable?
> >
> > SuiteB only allows two curves. SECP256 and SECP384 if I remember well.
>
> I understand why people implement ridiculous FIPS modes: it's to
> comply with government rules.  I don't see why Fedora should add to
> the mess.
>
>
Because such .gov rules are pushing throughout the industry and university
systems. You may be a research professor who has a grant which requires you
to show your systems are on such level as someone in the granting agency
doesn't want its grants to have stored their records in plain text or worse
the algorithms the professor knew back in the 1970's when he was a grad
student. [Been there, done that] You may be a university hospital which has
to show that it is keeping confidentiality through various levels [Fedora
like many linuxes gets used to be embedded in hardware you might scratch
your head but it is what it is.] You may be a EU giant accelerator which
finds that its funding has new riders and while you don't use Fedora, you
use a rebuild and will want to show you can meet those riders in X years
(which is usually good enough for the financial auditors).

It is basically to help make the work easier so that when someone is told
you have to make your system compliant they can do it in one spot versus
500.

-- 
Stephen J Smoogen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140227/6e9d7aae/attachment.html>