On Sat, Dec 21, 2013 at 9:38 AM, Till Maas <opensource@xxxxxxxxx> wrote: > Therefore I would like to propose a packaging guideline about which > minimum key size software in Fedora should generate by default. Such guidelines would be very desirable. The following needs to be addressed: * Do we have the expertise to define the requirements? We could just follow the ENISA report or http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf , but each such publication has a risk of carrying an agenda. (Note that choosing the algorithms is just as important as choosing the key sizes.) * Do we have the expertise to follow the requirements? The package maintainers would have to understand the source code to a much deeper extent than we've typically required. (I do think such a change in expectations would be a very good thing.) * Can we actually get this done? Uses of MD5 and DES are probably a bigger threat, and I'm afraid we haven't made that much progress on eradicating them, over many years. Mirek -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
