On 08/08/14 09:20, Nikos Mavrogiannopoulos wrote: > Hello, > I plan to submit the following text for packaging guidelines regarding > crypto policies. Are there any comments or suggestions? > > Since Fedora 21 (http://fedoraproject.org/wiki/Changes/CryptoPolicy) > there are policies for the usage of SSL and TLS cryptographic protocols > that are enforced system-wide. Each application being added in Fedora > must be checked to comply with the policies. Currently the policies are > restricted to applications using GnuTLS and OpenSSL. > > * OpenSSL applications: If the application provides a configuration > file that allows to modify the cipher list string, ensure that the > default is "PROFILE=SYSTEM". Otherwise, if the application doesn't have > a configuration file, ensure that there is no default cipher list > specified, or that the default list is set as "PROFILE=SYSTEM". > > * GnuTLS applications: If the application provides a configuration file > that allows to modify the cipher priority string, ensure that the > default is "@SYSTEM". Otherwise, if the application doesn't have a > configuration file, ensure that it uses gnutls_set_default_priority(), > or that the default priority string is "@SYSTEM". > > Applications utilizing other cryptographic libraries do not adhere to > the system wide crypto policies. > > regards, > Nikos > > > -- > security mailing list > security@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/security What about GNUPG ? And what will that default be set to ? Because certain ciphers that NIST seems to think are OK, are not OK, as we found out. And who decides which cyphers are good in that context ? Are we following bettercrypto.org's paper ? Regards, Tristan -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx Former Thawte Notary (Please note: Thawte has closed its WoT programme down, and I am therefore no longer able to accredit trust) For Fedora related issues, please email me at: TSantore@xxxxxxxxxxxxxxxxx -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
