Crypto guidelines for Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I recently noticed that several packages in Fedora create RSA keys with
inappropriate key sizes:

dnssec-trigger creates RSA 1536 keys with certificate that is valid for
20 years:
https://bugzilla.redhat.com/show_bug.cgi?id=1045689

dropbear-keygen creates by default RSA 1024 keys:
https://bugzilla.redhat.com/show_bug.cgi?id=1039311

Some other observations:
ssh-keygen on F19 creates RSA 2048 keys by default

ENISA recommends to at least RSA 3072 keys:
http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report

If e.g. AES-256 is used. RSA 15360 is recommended for long-term usage.


Therefore I would like to propose a packaging guideline about which
minimum key size software in Fedora should generate by default. It seems
to me that requiring RSA 3072 key by default in Fedora is a good initial
compromise. I did not notice RSA keys with more than 4096 bits
regularly, therefore I am not sure whether using RSA 15360 keys by
default is a good idea.

What is your opinion?

Regards
Till
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux