System-wide crypto policy transition tracker
Petr Spacek
pspacek at redhat.com
Wed Jan 7 08:18:06 UTC 2015
On 6.1.2015 16:20, Nikos Mavrogiannopoulos wrote:
> Hello,
> I've created a transition tracker to system-wide crypto policy at:
> https://bugzilla.redhat.com/show_bug.cgi?id=1179209
>
> Currently it contains bugs filled against openssl and gnutls
> applications in Fedora. If you use some application which utilizes
> SSL/TLS and isn't included in the tracker feel free to request it use
> the policy, and include a link to the bug report in the tracker.
>
> The tracker also contains a dependency on NSS respecting the system
> crypto policy: https://bugzilla.redhat.com/show_bug.cgi?id=1157720
I wonder what is your plan moving forward. Is it going to be 'TLS policy'? Or
are you planning to generalize it in future?
E.g. DNSSEC-related software can be configured which algorithm list and key
sizes too. I guess that the same applies to GnuPG.
In other words, should the policy be able to express something like
'do not trust MD5, SHA1, DES, RC4, RSA < 1024 bits anymore'
?
IMHO it would be extremely handy - it would allow us to quickly react when
something is seriously broken without patching all affected applications in
Fedora.
--
Petr^2 Spacek
More information about the devel
mailing list