Fedora crypto policy vs the real world Was: available crypto policies

Eric H. Christensen sparks at fedoraproject.org
Mon May 5 16:25:57 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Mon, May 05, 2014 at 06:19:01PM +0200, Nikos Mavrogiannopoulos wrote:
> On Mon, 2014-05-05 at 12:16 -0400, Eric H. Christensen wrote:
> > > > > 3. Users switching to some other distribution that things just work.
> > > > This is being done upstream of Fedora.
> > > 
> > > The crypto policy is about fedora, we are upstream on that.
> > > https://fedoraproject.org/wiki/Changes/CryptoPolicy
> > 
> > Yes, and this is largely going to be a server-side change.  The default policy is none (meaning whatever the software wants to do).
> 
> Could you please elaborate on what you mean above? The default policy
> will not be none after the change. This is the whole purpose of the
> change.

Wow, this feature has changed since the last time I looked at it.  I was under the impression this would only be used to force compliance with security policies.  Nonetheless, I don't disagree with DEFAULT, here.  Using RC4 and MD5 is just asking for trouble.  Sure, it might break some things but 1) those sites should be fixed and 2) using RC4 and MD5 is just providing a false sense of security.  A line should be drawn somewhere.  Again, it's 2014... stop making bad crypto decisions.

- -- Eric

- --------------------------------------------------
Eric "Sparks" Christensen
Red Hat, Inc - Product Security Team

sparks at redhat.com - sparks at fedoraproject.org
097C 82C3 52DF C64A 50C2  E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGcBAEBCgAGBQJTZ7uTAAoJEB/kgVGp2CYviVkL/iLFw88/K/pYqkHRqTLwaOWc
7qc4VBkbnmf6jY+21XfBt+jLjR4Rk+HLav/nUonVM9ALwOha5WfNIoDaeYQzkodB
5ztXtGe/HaPHETPWfKG58Oqezfn0tUOxgJ/fJ+eGgWyfHd1FTXeZB+C8x07o2ggp
aElts8xYyRfilus+CmLp6g7zFWpMPZrkQOM5CD5K96LyMghLbpzfyfUsdfnrRrDV
onqeHGvpwAX7aUtpJu7PgMpN06rLfbhZcl78pLX2JnlpVkUBBiIexJQy6H73MhbV
PCE+vXpaBmzkwtsJ4Rre8ODwiae6n4ktPGBd+JzX5lZcV1K1M+ABwn9fx3pZhzyI
oeDCelDcs6fnu2EWVSngqrVsPTunBT5hmwqilKQgFHmeE/UokO8FJxFV77mtDyBx
oNcDGw1tti80AFycZer26EYPCwF3MMp8ClxemYWvBFehB76NT/v0908pGpcg7puu
QSLymXl10GBYRSgaR9my6ZeWmyjnMfJBMh8rAfuA6A==
=uqiV
-----END PGP SIGNATURE-----

More information about the security mailing list