enforcing a consistent crypto policy
Nikos Mavrogiannopoulos
nmav at redhat.com
Fri Jan 17 12:53:42 UTC 2014
On Thu, 2014-01-16 at 11:57 -0500, Hubert Kario wrote:
> > Hello,
> > I am working on a draft common crypto policy for Fedora. The idea is to
> > be able to set a security level for all TLS/SSL connections in a system
> > (which will of course allow the user to use any application-specific
> > overrides).
> > The draft change is at:
> > https://fedoraproject.org/wiki/Changes/CryptoPolicy
> > and is not submitted yet as I'd appreciate any comments, suggestions for
> > improvement or any help in implementing it. The current policy is
> > restricted to TLS and SSL libraries to have a manageable work effort but
> > the idea is to convert gradually all crypto applications and libraries.
> Order of cipher suites is just as important as which ones are enabled.
Hello Hubert,
Indeed, an ordered list was meant and I've clarified that.
> "minimum acceptable size of parameters" is missing ECDHE, and I'm assuming
> that by DH you mean ephemeral version of it. Specifying it explicitly may
> be a good idea.
updated.
regards,
Nikos
More information about the security
mailing list