Jaroslav Reznik (jreznik@xxxxxxxxxx) said: > = Proposed System Wide Change: System-wide crypto policy = > https://fedoraproject.org/wiki/Changes/CryptoPolicy > > Change owner(s): Nikos Mavrogiannopoulos <nmav@xxxxxxxxxx> > > Unify the crypto policies used by different applications and libraries. That is > allow setting a consistent security level for crypto on all applications in a > Fedora system. > > == Detailed Description == > The idea is to have some predefined security levels such as LEVEL-80, > LEVEL-128, LEVEL-256, > or ENISA-LEGACY, ENISA-FUTURE, SUITEB-128, SUITEB-256. These will be the > security levels > that the administrator of the system will be able to configure by modifying > /usr/lib/crypto-profiles/config > /etc/crypto-profiles/config > > and being applied after executing update-crypto-profiles. > (Note: it would be better to have a daemon that watches those files and > runs update-crypto-profiles automatically) How is an admin supposed to know what levels such as the above are, and why they might choose a particular one? > * Proposal owners: For GnuTLS and OpenSSL the "SYSTEM" cipher needs to be > understood and behave as described. For NSS the NSS_SetDomesticPolicy() can be > overloaded to behave as above. > > After that a mechanism to specify crypto policies for Fedora has to be > devised, as well as the extraction to each libraries' settings. > > * Other developers: Packages that use SSL crypto libraries should, after the > previous change is complete, start replacing the default cipher strings with > SYSTEM. This implies a potentially not insignificant local patch load. Am I misunderstanding it? Bill -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
