F21 System Wide Change: System-wide crypto policy

Miloslav Trmač mitr at volny.cz
Tue Mar 4 16:19:00 UTC 2014 

2014-02-27 17:22 GMT+01:00 Jaroslav Reznik <jreznik at redhat.com>:

> = Proposed System Wide Change: System-wide crypto policy =
> https://fedoraproject.org/wiki/Changes/CryptoPolicy
>
> Unify the crypto policies used by different applications and libraries.


Is this for TLS only?  The description suggest this, but it's not explicit.


> == Detailed Description ==
> The idea is to have some predefined security levels such as LEVEL-80,
> LEVEL-128, LEVEL-256,
> or ENISA-LEGACY, ENISA-FUTURE, SUITEB-128, SUITEB-256.


The difficult-to-coordinate work is updating the application-sid, so as
long as the API doesn't change, changing the predefined security levels is
something that needs to be done within a single package only, i.e.
comparatively easier, so I'm not *too* concerned about the particular
choices.

I do think we need a *single*, clear "Fedora recommended default".  Beyond
that, we need some flexibility, but it's far too easy to start asking for
too many options, and to get deep into bikeshedding.

The above proposed levels broadly make sense (taking 80/128/256 as a "nice
round numbers" that stand for detailed strenghts), we would probably want
to explicitly document the semantics (Is the semantics of a level fixed
forever or will it be updated?  Will we remove a weak cipher from an
existing level (ever / during a single Fedora release)?  Will we add a
cipher to alevel (ever / during a single Fedora release?).


> * Proposal owners: For GnuTLS and OpenSSL the "SYSTEM" cipher needs to be
> understood and behave as described. For NSS the NSS_SetDomesticPolicy()
> can be
> overloaded to behave as above.
>

Please update the NSS part with the current proposal (based on our
discussion).


> * Other developers: Packages that use SSL crypto libraries should, after
> the
> previous change is complete, start replacing the default cipher strings
> with
> SYSTEM.
>

How can we find out which packages would be affected?  Anything that
requires the library, or only users that refer to a specific symbol?

What about packages that currently don't explicitly set any policy string
(i.e. packages that probably don't care too much about the specifics)?
Would this mean adding a call to use "SYSTEM" to these packages, or would
we change the semantics of the API to use "SYSTEM" by default?
    Mirek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140304/b7ebf298/attachment.html>

More information about the devel mailing list