On Thu, 2014-02-27 at 11:52 -0500, Bill Nottingham wrote: > > == Detailed Description == > > The idea is to have some predefined security levels such as LEVEL-80, > > LEVEL-128, LEVEL-256, > > or ENISA-LEGACY, ENISA-FUTURE, SUITEB-128, SUITEB-256. These will be the > > security levels > > that the administrator of the system will be able to configure by modifying > > /usr/lib/crypto-profiles/config > > /etc/crypto-profiles/config > > and being applied after executing update-crypto-profiles. > > (Note: it would be better to have a daemon that watches those files and > > runs update-crypto-profiles automatically) > How is an admin supposed to know what levels such as the above are, and why > they might choose a particular one? They will be documented. They could be part of the configuration file that be edited. The policies above are a indicative, so if there are suggestions they will be considered. > > > * Proposal owners: For GnuTLS and OpenSSL the "SYSTEM" cipher needs to be > > understood and behave as described. For NSS the NSS_SetDomesticPolicy() can be > > overloaded to behave as above. > > After that a mechanism to specify crypto policies for Fedora has to be > > devised, as well as the extraction to each libraries' settings. > > * Other developers: Packages that use SSL crypto libraries should, after the > > previous change is complete, start replacing the default cipher strings with > > SYSTEM. > This implies a potentially not insignificant local patch load. Am I > misunderstanding it? You are correctly understanding. This is not a small project and any help is appreciated. regards, Nikos -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
