[Bug 1107633] New: System-wide crypto policy

bugzilla at redhat.com bugzilla at redhat.com
Tue Jun 10 11:21:53 UTC 2014


https://bugzilla.redhat.com/show_bug.cgi?id=1107633

            Bug ID: 1107633
           Summary: System-wide crypto policy
           Product: Fedora Documentation
           Version: devel
         Component: security-guide
          Keywords: Documentation, ReleaseNotes
          Assignee: sparks at redhat.com
          Reporter: sparks at redhat.com
        QA Contact: docs-qa at lists.fedoraproject.org
                CC: hkario at redhat.com, jreznik at redhat.com,
                    nmavrogi at redhat.com, pkennedy at redhat.com,
                    security-guide-list at redhat.com, sparks at redhat.com,
                    zach at oglesby.co
        Depends On: 1076390



+++ This bug was initially created as a clone of Bug #1076390 +++

This is a tracking bug for Change: System-wide crypto policy
For more details, see: http://fedoraproject.org//wiki/Changes/CryptoPolicy

Unify the crypto policies used by different applications and libraries. That is
allow
setting a consistent security level for crypto on all applications in a Fedora
system. The implementation approach will be to initially modify SSL libraries
to respect the policy and gradually adding more libraries and applications.

--- Additional comment from Eric Christensen on 2014-03-24 13:40:11 EDT ---

I wrote up something about this already (but can't find it) that can be used in
the Release Notes and Security Guide.  As soon as I can lay my hands on it,
again, I'll post it for review.

--- Additional comment from Eric Christensen on 2014-03-24 14:40:25 EDT ---

This is the text I'd like to use for the Release Notes and Security Guide if it
looks good to the feature owner.

--- Additional comment from Nikos Mavrogiannopoulos on 2014-03-25 05:45:07 EDT
---

Let's not update the release notes and manual yet, as the details are not yet
fixed. I expect these to be fixed by the end of next month.

--- Additional comment from Nikos Mavrogiannopoulos on 2014-06-03 07:26:05 EDT
---

I've updated the proposed text for the release notes.

<title>Crypto Policy</title>

<para>Beginning in Fedora 21, a system-wide crypto policy will be available for
users to quickly setup the cryptographic options for their systems.  Users that
must meet certain cryptographic standards can make the policy change in
<filename>//etc/crypto-policies/config</filename>, and run
update-crypto-policies. At this point applications that are utilize the default
set of ciphers in the GnuTLS and OpenSSL libraries will follow the policy
requirements.</para>

<para>The available options are: (1) LEGACY, which ensures compatibility with
legacy systems - 64-bit security, (2) DEFAULT, a reasonable default for today's
standards - 80-bit security, and (3) FUTURE, a conservative level that is
believed to withstand any near-term future attacks -128-bit security.
These levels affect SSL/TLS settings, including elliptic curve, signature hash
functions, and ciphersuites and key sizes.</para>

<para>Additional information on this new feature can be found on the <ulink
url="https://fedoraproject.org/wiki/Changes/CryptoPolicy">CryptoPolicy Changes
wiki page</ulink>.</para>

--- Additional comment from Eric Christensen on 2014-06-03 11:58:18 EDT ---

(In reply to Nikos Mavrogiannopoulos from comment #4)

Awesome, thanks!  I've added it to the Security Beat
(https://fedoraproject.org/wiki/Documentation_Security_Beat) and it should be
in the Release Notes for F21.


Referenced Bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=1076390
[Bug 1076390] System-wide crypto policy
-- 
You are receiving this mail because:
You are the QA Contact for the bug.


More information about the docs-qa mailing list