proposed text for crypto-policies in Packaging Guidelines

Tristan Santore tristan.santore at internexusconnect.net
Fri Aug 8 09:34:10 UTC 2014 

On 08/08/14 09:20, Nikos Mavrogiannopoulos wrote:
> Hello,
>  I plan to submit the following text for packaging guidelines regarding
> crypto policies. Are there any comments or suggestions?
>
> Since Fedora 21 (http://fedoraproject.org/wiki/Changes/CryptoPolicy)
> there are policies for the usage of SSL and TLS cryptographic protocols
> that are enforced system-wide. Each application being added in Fedora
> must be checked to comply with the policies. Currently the policies are
> restricted to applications using GnuTLS and OpenSSL.
>
>  * OpenSSL applications: If the application provides a configuration
> file that allows to modify the cipher list string, ensure that the
> default is "PROFILE=SYSTEM". Otherwise, if the application doesn't have
> a configuration file, ensure that there is no default cipher list
> specified, or that the default list is set as "PROFILE=SYSTEM". 
>
>  * GnuTLS applications: If the application provides a configuration file
> that allows to modify the cipher priority string, ensure that the
> default is "@SYSTEM". Otherwise, if the application doesn't have a
> configuration file, ensure that it uses gnutls_set_default_priority(),
> or that the default priority string is "@SYSTEM". 
>
> Applications utilizing other cryptographic libraries do not adhere to
> the system wide crypto policies. 
>
> regards,
> Nikos
>
>
> --
> security mailing list
> security at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/security
What about GNUPG ?

And what will that default be set to ? Because certain ciphers that NIST
seems to think are OK, are not OK, as we found out. And who decides
which cyphers are good in that context ?

Are we following bettercrypto.org's paper ?

Regards,

Tristan


-- 

Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore at internexusconnect.net

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
TSantore at fedoraproject.org

More information about the security mailing list