On Thu, Jan 02, 2014 at 05:47:34PM +0100, Miloslav Trmač wrote: > On Sat, Dec 21, 2013 at 9:38 AM, Till Maas <opensource@xxxxxxxxx> wrote: > > Therefore I would like to propose a packaging guideline about which > > minimum key size software in Fedora should generate by default. > > Such guidelines would be very desirable. The following needs to be addressed: > > * Do we have the expertise to define the requirements? We could just > follow the ENISA report or > http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf , > but each such publication has a risk of carrying an agenda. (Note > that choosing the algorithms is just as important as choosing the key > sizes.) At least with minimal key sizes no harm can be done as long as no package uses shorter minimal keys sizes because of this. Also for algorithms I think it is a good idea to ban certain bad algorithms by default but allow for packages to support stronger variants by default it upstream decided so. But if one upstream decides it, there might be a good reason to make it default for Fedora. > * Do we have the expertise to follow the requirements? The package > maintainers would have to understand the source code to a much deeper > extent than we've typically required. (I do think such a change in > expectations would be a very good thing.) At least for default key sizes it should be only a constant that needs to be changed as long as the software itself supports bigger keys. But I would solve this when problems appear. > * Can we actually get this done? Uses of MD5 and DES are probably a > bigger threat, and I'm afraid we haven't made that much progress on > eradicating them, over many years. Changing algorithms is a lot harder than changing minimal key sizes. But it is moving on. Regards Till -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
