F21 System Wide Change: System-wide crypto policy
Nikos Mavrogiannopoulos
nmav at redhat.com
Fri Feb 28 09:59:01 UTC 2014
On Thu, 2014-02-27 at 10:37 -0800, Andrew Lutomirski wrote:
> In that case, why not give full control:
> allowed_ciphers = AES-192, AES-256, Salsa20/12, Salsa20/20
> allowed_groups = modp >= 2048, P-256, Curve25519
> allowed_hashes = SHA-3, ...
> allowed_modes = CTR, OCB, XTS, GCM
> allowed_macs = ...
Because of two reasons:
1. A typical administrator isn't a cryptographer. Most people cannot
distinguish noise from the algorithms that you mention above.
2. That proposal has to work with very different libraries that don't
provide the same level of access to their internals.
Thus the practical solution is to handle pre-defined common policies
rather than provide unlimited tuning for every possible purpose (that
can be done by overriding the defaults).
regards,
Nikos
More information about the devel
mailing list