F21 System Wide Change: System-wide crypto policy
Nikos Mavrogiannopoulos
nmav at redhat.com
Fri Feb 28 10:03:52 UTC 2014
On Thu, 2014-02-27 at 11:52 -0500, Bill Nottingham wrote:
> > == Detailed Description ==
> > The idea is to have some predefined security levels such as LEVEL-80,
> > LEVEL-128, LEVEL-256,
> > or ENISA-LEGACY, ENISA-FUTURE, SUITEB-128, SUITEB-256. These will be the
> > security levels
> > that the administrator of the system will be able to configure by modifying
> > /usr/lib/crypto-profiles/config
> > /etc/crypto-profiles/config
> > and being applied after executing update-crypto-profiles.
> > (Note: it would be better to have a daemon that watches those files and
> > runs update-crypto-profiles automatically)
> How is an admin supposed to know what levels such as the above are, and why
> they might choose a particular one?
They will be documented. They could be part of the configuration file
that be edited. The policies above are a indicative, so if there are
suggestions they will be considered.
>
> > * Proposal owners: For GnuTLS and OpenSSL the "SYSTEM" cipher needs to be
> > understood and behave as described. For NSS the NSS_SetDomesticPolicy() can be
> > overloaded to behave as above.
> > After that a mechanism to specify crypto policies for Fedora has to be
> > devised, as well as the extraction to each libraries' settings.
> > * Other developers: Packages that use SSL crypto libraries should, after the
> > previous change is complete, start replacing the default cipher strings with
> > SYSTEM.
> This implies a potentially not insignificant local patch load. Am I
> misunderstanding it?
You are correctly understanding. This is not a small project and any
help is appreciated.
regards,
Nikos
More information about the devel
mailing list