On Feb 27, 2014 8:25 AM, "Jaroslav Reznik" <jreznik@xxxxxxxxxx> wrote:
>
> = Proposed System Wide Change: System-wide crypto policy =
> https://fedoraproject.org/wiki/Changes/CryptoPolicy
> == Detailed Description ==
> The idea is to have some predefined security levels such as LEVEL-80,
> LEVEL-128, LEVEL-256,
> or ENISA-LEGACY, ENISA-FUTURE, SUITEB-128, SUITEB-256. These will be the
> security levels
> that the administrator of the system will be able to configure by modifying
> /usr/lib/crypto-profiles/config
> /etc/crypto-profiles/config
>
> and being applied after executing update-crypto-profiles.
> (Note: it would be better to have a daemon that watches those files and
> runs update-crypto-profiles automatically)
>
> After that the administrator should be assured that any application
> that uses the system settings will follow a policy that adheres to
> the configured profile.
>
> Ideally setting a profile should be setting:
> * the acceptable TLS/SSL (and DTLS) versions
> * the acceptable ciphersuites and the preferred order
> * acceptable parameters in certificates and key exchange, i.e.:
> ** the minimum acceptable size of parameters (DH,ECDH,RSA,DSA,ECDSA)
> ** the acceptable elliptic curves (ECDH,ECDSA)
> ** the acceptable signature hash functions
> * other TLS options such as:
> ** safe renegotiation
>
Does this configuration limit the algorithms that are available or only the options that can be given to those algorithms or only the default values of those algorithms?
-Toshio
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct